Design and Verification of a Crypto-Agile Distributed Key Manager

We present DKM, a distributed key management system. DKM implements a new data protection API. It manages cryptographic keys and policies on behalf of groups of users that share the data. To ensure long-term protection, DKM supports cryptographic agility: algorithms, keys, and policies can evolve for protecting fresh data while preserving access to old data. DKM is written in C# and currently used by several large datacenter applications. To verify our design and implementation, we also write a lightweight reference implementation of DKM in F#. This code closes the gap between formal models and production code: • Formally, the F# code is a very precise model of DKM: we automatically verify its security properties against new symbolic libraries for cryptographic agility, using the refinement typechecker F7 coupled with a model checker. • Experimentally, this code closely follows the structure of our production code: we automatically test that the corresponding F# and C# code fragments are interchangeable and yield the same results. We also report on several problems we uncovered and fixed as part of this joint design, development, and verification process.