Key Management: Types and the Broken Enigma Cipher Case

As we have shown in previous chapters, once we start thinking about the cryptosystem as a summary of technical and organizational measures, another important component enters the game: key management. This includes dealing with the generation, exchange, storage, use, and replacement of keys. The key management is equally as important as the other cryptosystem components. In fact, a broken key management (i.e. unauthorized acquisition of cipher keys) may have the same consequences as a broken cipher algorithm itself and is often easier to implement. The key management selection and its setup is therefore one of the most crucial data encryption management decisions.

The main problem in modern cryptography is establishing trust between two subjects who, despite no prior physical contact, want to trust each other’s keys, typically for a confidential message exchange via the Internet. Two fundamentally different concepts, with many modifications and various parameter settings, have become widely used. We will describe them here, along with their major pros and cons.

The first concept, PKI system, used widely mainly in the U.S.A., but also certified in the E.U., is a centralized system. A client submits his public key to the certificate authority which uses a documentary evidence (e.g. a copy of the Certificate of Incorporation) to verify the client’s data, and if everything is in order, signs this public key with its private key. The public keys of individual certificate authorities are then permanently stored in the operating system (particularly Microsoft WindowsTM) and every public key signed by any of those authorities is deemed authentic (trustworthy).


  • out of box ease of use
  • professionalism of specialized authorities


  • the accepted key trustworthiness is determined by a third party, not the user
  • vulnerability to malevolent authority actions
  • individual authorities’ vulnerability to having their private keys (or their storage) broken

The second system was originally devised by Phil Zimmermann within his PGP/GPG system and it is described as the network of trust. It is based on a similar principle as friends on Facebook or the LinkedIn network, i.e. between any two subjects (individuals or companies), there is a relatively short path, always formed by the subjects’ mutual acquaintances.

In the network of trust, any user may therefore add his electronic signature to any public key, as long as he knows that the key belongs to the subject named on the key. The user may then define the rules how many and how remote (across how many interlinks) signatures such a key must contain to be deemed trustworthy.


  • the key trustworthiness rules are defined by the user
  • ability to create an unlimited number of mutually independent ad-hoc networks of trust
  • breaking or stealing an individual key has a limited impact


  • vulnerability related to the rule-setting individual’s professional experience
  • a need for more sophisticated configuration of the defined rules (does not work out of box)

We will conclude with a historical excursion: the secret capture of Enigma encryption machines and their codebooks from German U-boats by the Allies during the WWII and their utilization in decrypting commands intended for the U-boats was from the technical point of view a (successful) key management attack.

Historians agree that this particular moment was a turning point which resulted in the elimination of the German U-boat fleet, fatal to Britain until then. Interestingly, Grand Admiral Dönitz came up with a number of theories about the U-boat traffic information leak causes, but until the end of the war refused to believe that the British were able to decrypt dispatches enciphered by the enhanced Enigma. It illustrates the threat of both key management attacks and the impact of false sense of security which we have mentioned in previous chapters.