Monthly research note. Theme: Cryptographic Infrastructure.

TL;DR

A focused memo on Key Management at Scale: Rotation, Audit, and Blast Radius: define the model, state the properties, then design the system so those properties remain true under failure and adversaries.

Key insight

Treat “timeouts” as a third outcome: not success, not failure—ambiguity you must model.

Key takeaways

  • Treat key IDs as capabilities; never pass raw private key material across boundaries.
  • Rotation and rollback are core features—design them before you ship.
  • Bind purpose and context (domain separation) so keys can’t be misused accidentally.
  • Make failure modes explicit and observable.
  • Write assumptions down; treat them as interfaces.

Why this matters

  • Operational reality (rotation, audit, rollback) is where crypto systems fail.
  • Cryptographic agility is useless if rollout and rollback are unsafe.
  • Most organizations don’t know where their keys live—until an incident.
  • Side channels turn performance details into security boundaries.

Key questions

  • How do you prove usage (who signed what, when, and why) without leaking secrets?
  • What is your disaster recovery story for KMS/HSM outages?
  • What is the rollback plan when a new algorithm breaks production?
  • What is the blast radius of compromise (tenant, service, region, environment)?
  • Which operations must be constant-time and how do you validate that?
  • How do you separate duties (operators vs developers vs security responders)?

Assumptions

  • Some environments are hostile (CI, ephemeral runners, shared build agents).
  • Attackers can observe timing and resource usage in shared environments.
  • Certificate chains and policies evolve; clients won’t all update together.
  • Rotation must occur under incident pressure; automation must be safe.

Non-goals

  • Assuming “HSM = secure” without defining the threat model.
  • Designing audit trails that expose sensitive plaintext or identifiers.
Attack surface

Parsing is an attacker-controlled interface—validate early and fail fast.

Model & invariants

Audit integrity is a cryptographic property:

log_entrySignkaudit(hash(event)  metadata).\mathrm{log\_entry} \leftarrow \mathrm{Sign}_{k_\text{audit}}(\mathrm{hash}(\text{event})\ \Vert\ \text{metadata}).

Treat key identifiers as capabilities with purpose constraints—enforce in code and policy.

Audit logs are evidence. Make them tamper-evident and operationally accessible.

Invariant

Monotonicity beats timestamps: counters and epochs survive clock skew.

Security properties

  • Downgrade resistance: negotiation can’t silently weaken security posture.
  • Authenticity: actions are bound to identity and purpose.
  • Least authority: privileges are scoped by purpose and time.
  • Integrity: invalid transitions are rejected (and detectable).

Failure modes

  • Observability gaps during incidents (missing evidence).
  • Timeout ambiguity causing double-apply or partial state transitions.
  • Config drift that weakens security posture over time.
  • Mixed-version behavior that violates assumptions silently.
Pitfall

Sampling hides the rare schedule that breaks your invariants.

Design sketch

flowchart LR
  policy["Policy (purpose + TTL)"] --> service["Signer Service"]
  service --> hsm["HSM/KMS"]
  service --> audit["Audit Stream"]
  audit --> siem["Detection/Response"]

Implementation notes

Make policy explicit and enforce it in the narrowest component possible.

Rule of thumb

Acknowledge only after durability (or make “ack” explicitly best-effort).

// Capability-style API: callers get a handle scoped to purpose + TTL.
type KeyPurpose string
type KeyHandle struct {
  ID string
  Purpose KeyPurpose
  ExpiresAtUnix int64
}

type Signer interface {
  Sign(h KeyHandle, msg []byte) (sig []byte, err error)
}

Verification strategy

  • Chaos for KMS: inject throttling, partial outages, and latency spikes.
  • Rotation drills: staged rollout, dual-sign windows, and rollback.
  • Misuse resistance tests: wrong purpose, wrong context, wrong key type must fail.
  • Constant-time validation: microbenchmarks + side-channel tooling where feasible.
  • Config drift detection: policy-as-code with diffs treated as security events.

Operational notes

  • Alert on policy drift: cipher suites, key sizes, algorithm toggles, TTL changes.
  • Test backup/restore for crypto material with the same rigor as databases.
  • Make audit streams append-only and queryable during incidents.
  • Automate rotation with safety rails (canary, dual-sign, fast rollback).
  • Separate duties and restrict production key access paths.
Operational note

Make degraded modes explicit: fail closed vs fail open is a policy choice.

What to monitor

  • Invariant violation rate (should be ~0).
  • Authz failures and policy denials (unexpected spikes).
  • Error budget burn + tail latency under load.
  • Admission-control / rate-limit rejections (by reason).
  • Rollback events and the conditions that triggered them.

Rollback plan

  • Prefer backward-compatible changes; avoid “flag day” upgrades.
  • Use canaries and staged rollout; stop early when signals degrade.
  • Define an explicit rollback trigger (metrics + thresholds).
  • Preserve evidence (configs, artifacts, audit logs) to reconstruct what changed.
  • Keep dual-write / dual-verify windows where appropriate.

Evidence

  • Site Reliability Engineering (Google) (1) — Error budgets, incident response, and reliability as an engineering discipline.
    • Evidence: Error budgets and incident response are correctness controls; tie monitoring and rollback triggers to SLO burn.
  • Let's Encrypt Incident Reports (2) — Real-world PKI incidents and operational lessons.
    • Evidence: Rotation and revocation are operational protocols; extract failure patterns into drills and automated rollbacks.

Open questions

  • Which secrets must remain confidential for 10+ years and where are they stored today?
  • How do you guarantee that audit does not become a data exfiltration channel?
  • What would a KMS compromise look like in your telemetry?
  • What is your plan for emergency revocation at global scale?

Checklist

  • Failure modes enumerated with mitigations.
  • Assumptions listed and reviewed.
  • Rollback plan rehearsed and automated.
  • Telemetry captures correctness signals.
  • Costs bounded (CPU/memory/bandwidth) under adversarial inputs.
  • Safety properties stated as invariants.

Further reading

1.
Beyer B, Jones C, Petoff J, Murphy NR. Site Reliability Engineering: How Google Runs Production Systems [Internet]. O’Reilly Media; 2016. Available from: https://sre.google/sre-book/table-of-contents/
2.
Let’s Encrypt. Let’s Encrypt Incident Reports [Internet]. Web; Available from: https://community.letsencrypt.org/c/incidents/16/l/top