Database encryption can be a powerful tool for protecting sensitive data -- but without proper key management practices, big problems could be only one fat finger away.

Such was the case this week at a Colorado county election office, where an incident involving the encryption of its voter database is costing taxpayers tens of thousands of dollars and putting a wrinkle in the county's voting process.

As reported by Steamboat Today, northern Colorado's Routt County Clerk and Recorder's Office is currently scrambling to accommodate 5,773 voters whose mail-in ballots will not be recognized due to a user input error in the voter database's encryption system.

When an office worker for the county went to change the PIN for the election database earlier this month -- as required by the Colorado Secretary of State -- he or she made an inadvertent keystroke error that caused the system to reissue encryption keys. The mistake generated an encryption code that does not match the one already associated with the 5,773 ballots previously mailed to voters.

The net result of the snafu? The county now must bring in a team of election judges to replicate the election data under video surveillance to ensure voters get their say. Cost to fix the problem? More than $25,000.

"This mistake was not brought on by a lack of protection, but rather by the lack of quality enterprise key management," says Chris Corde, senior manager of application security products at RSA. "We always tell customers that encryption is the plumbing of the system, but it's not where all of the operational interaction takes place. That happens at the key manager.

"In this instance, Steamboat Springs experienced something we refer to as 'rekeying' of their data, which is the unencrypting of data with the old key and then re-encrypting of it with a new one," Corde explains.

According to Ulf Mattson, CTO for security vendor Protegrity, the incident is unfortunate because the government agency was unable to leverage lessons that developers of database encryption systems "learned a long time ago." Organizations should never use an authentication PIN or access code to generate encryption keys -- authentication should be separated from key management, he warns.

"If you still want to use an authentication PIN or access code to generate encryption keys, you should not have one single person knowing the whole PIN that can generate an encryption code," Mattson says. "Separation of duties -- split knowledge and potentially dual control -- should be used. Input validation, in general, can avoid that extra digit added by mistake."

Organizations should never allow for the automatic re-encryption of a database, Mattson advises. In the case of the county election, "it must be scheduled properly to avoid mistakes like re-encryption of the database during an election cycle," he says. "It should only allow changing the PIN before the election cycle."

RSA's Corde says that mistakes can also be avoided by not allowing certain key requests to be performed at the client. "We do this by turning off client-side permissions for key rotation, or even decryption in some instances," he says.

Some enterprises could also avoid trouble by using a solution such as a hardware security module (HSM), experts say. HSMs ensure that authentication codes can't be handled or decrypted outside the boundary of the hardware -- and that PIN verification only occurs inside the secure application, says Juan Asenjo, global product marketing manager for Thales Information Systems Security.

HSMs also enable key replication to prevent disruption in service, Asenjo observes. "HSMs could have helped prevent the problem experienced by the government agency in question," he says. "Login authentication provided by an HSM would have protected sensitive login information [against alteration] and safeguarded them from the apparent inadvertent change."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.