Part 1: General - Computer Security Resource Center - National ...

More documents

Recommendations

Info

March, 2007 5.6 Guidance for Cryptographic Algorithm and Key Size Selection....................................61 5.6.1 Comparable Algorithm Strengths .......................................................................61 5.6.2 Defining Appropriate Algorithm Suites..............................................................65 5.6.3 Using Algorithm Suites.......................................................................................67 5.6.4 Transitioning to New Algorithms and Key Sizes ...............................................68 6 PROTECTION REQUIREMENTS FOR CRYPTOGRAPHIC INFORMATION .........72 6.1 Protection Requirements.................................................................................................72 6.1.1 Summary of Protection Requirements for Cryptographic Keys.........................73 6.1.2 Summary of Protection Requirements for Other Cryptographic or Related Information .........................................................................................................76 6.2 Protection Mechanisms...................................................................................................78 6.2.1 Protection Mechanisms for Cryptographic Information in Transit.....................79 6.2.1.1 Availability ..........................................................................................79 6.2.1.2 Integrity................................................................................................79 6.2.1.3 Confidentiality .....................................................................................80 6.2.1.4 Association with Usage or Application ...............................................80 6.2.1.5 Association with Other Entities ...........................................................81 6.2.1.6 Association with Other Related Information .......................................81 6.2.2 Protection Mechanisms for Information in Storage............................................81 6.2.2.1 Availability ..........................................................................................81 6.2.2.2 Integrity................................................................................................81 6.2.2.3 Confidentiality ....................................................................................82 6.2.2.4 Association with Usage or Application ...............................................82 6.2.2.5 Association with the Other Entities .....................................................83 6.2.2.6 Association with Other Related Information .......................................83 6.2.3 Labeling of Cryptographic Information..............................................................83 6.2.3.1 Labels for Keys....................................................................................83 6.2.3.2 Labels for Related Cryptographic Information....................................84 7 KEY STATES AND TRANSITIONS....................................................................................85 7.1 Key States ...........................................................................................................................85 7.2 Key State Transitions..........................................................................................................86 7.3 States and Transitions for Asymmetric Keys......................................................................87 9
March, 2007 8 KEY MANAGEMENT PHASES AND FUNCTIONS ........................................................89 8.1 Pre-operational Phase......................................................................................................92 8.1.1 User Registration Function .................................................................................92 8.1.2 System Initialization Function ............................................................................92 8.1.3 User Initialization Function ................................................................................92 8.1.4 Keying Material Installation Function................................................................92 8.1.5 Key Establishment Function...............................................................................93 8.1.5.1 Generation and Distribution of Asymmetric Key Pairs.......................93 8.1.5.1.1 Distribution of Static Public Keys ........................................................................... 94 8.1.5.1.1.1 Distribution of a Trust Anchor's Public Key in a PKI.......................... 94 8.1.5.1.1.2 Submission to a Registration Authority or Certification Authority...... 95 8.1.5.1.1.3 <strong>General</strong> Distribution............................................................................. 97 8.1.5.1.2 Distribution of Ephemeral Public Keys ................................................................... 97 8.1.5.1.3 Distribution of Centrally Generated Key Pairs ........................................................ 98 8.1.5.2 Generation and Distribution of Symmetric Keys.................................98 8.1.5.2.1 Key Generation........................................................................................................ 99 8.1.5.2.2 Key Distribution ...................................................................................................... 99 8.1.5.2.2.1 Manual Key Distribution ..................................................................... 99 8.1.5.2.2.2 Electronic Key Distribution/Key Transport ....................................... 100 8.1.5.2.3 Key Agreement...................................................................................................... 100 8.1.5.3 Generation and Distribution of Other Keying Material.....................101 8.1.5.3.1 Domain Parameters................................................................................................ 101 8.1.5.3.2 Initialization Vectors ............................................................................................. 101 8.1.5.3.3 Shared Secrets........................................................................................................ 101 8.1.5.3.4 RNG Seeds ............................................................................................................ 101 8.1.5.3.5 Intermediate Results .............................................................................................. 102 8.1.6 Key Registration Function ................................................................................102 8.2 Operational Phase .........................................................................................................102 8.2.1 Normal Operational Storage Function..............................................................103 8.2.1.1 Device or Module Storage .................................................................103 8.2.1.2 Immediately Accessible Storage Media.............................................103 8.2.2 Continuity of Operations Function ...................................................................103 8.2.2.1 Backup Storage ..................................................................................103 8.2.2.2 Key Recovery Function .....................................................................105 8.2.3 Key Change Function .......................................................................................106 10
Page 1 and 2: ARCHIVED PUBLICATION The attached p
Page 3 and 4: Abstract March, 2007 This Recommend
Page 5 and 6: Authority March, 2007 This document
Page 7 and 8: March, 2007 key validation, account
Page 9: March, 2007 4.2.4.1 DSA............
Page 13 and 14: March, 2007 10.2.9 Compromise Manag
Page 15 and 16: March, 2007 Figure 3: Key states an
Page 17 and 18: March, 2007 1.2 Audience The audien
Page 19 and 20: March, 2007 1. Section 1, Introduct
Page 21 and 22: March, 2007 Backup A copy of inform
Page 23 and 24: March, 2007 Digital signature The r
Page 25 and 26: Key Management Policy Key Managemen
Page 27 and 28: Proof of possession (POP) Pseudoran
Page 29 and 30: March, 2007 Split knowledge A proce
Page 31 and 32: March, 2007 3 Security Services Cry
Page 33 and 34: March, 2007 However, it is often th
Page 35 and 36: March, 2007 4 Cryptographic Algorit
Page 37 and 38: March, 2007 operates on blocks (chu
Page 39 and 40: March, 2007 minimum key size 7 of 1
Page 41 and 42: March, 2007 2. The protocols trigge
Page 43 and 44: March, 2007 7. Symmetric key wrappi
Page 45 and 46: March, 2007 9. Random numbers: The
Page 47 and 48: March, 2007 In general, where stron
Page 49 and 50: March, 2007 a. When a symmetric key
Page 51 and 52: March, 2007 information. For less s
Page 53 and 54: 8. Symmetric and Asymmetric RNG key
Page 55 and 56: 15. Private ephemeral key agreement
Page 57 and 58: Key Type 12. Symmetric Key Agreemen
Page 59 and 60: March, 2007 establishment keys, see
Page 61 and 62:
March, 2007 c. Restricting plaintex
Page 63 and 64:
March, 2007 algorithms completely i
Page 65 and 66:
March, 2007 Table 3: Hash function
Page 67 and 68:
Table 4: Recommended algorithms and
Page 69 and 70:
March, 2007 size is available, the
Page 71 and 72:
Security life of data up to 4 years
Page 73 and 74:
March, 2007 6 Protection Requiremen
Page 75 and 76:
Table 5: Protection requirements fo
Page 77 and 78:
Key Type Security Service Private e
Page 79 and 80:
March, 2007 Crypto. Security Securi
Page 81 and 82:
March, 2007 may be applied only to
Page 83 and 84:
March, 2007 All cryptographic infor
Page 85 and 86:
March, 2007 8. Domain parameters (e
Page 87 and 88:
March, 2007 6. Destroyed Compromise
Page 89 and 90:
March, 2007 a. A private signature
Page 91 and 92:
2 Pre-Operational Phase 3 7 1 4 Ope
Page 93 and 94:
March, 2007 8.1 Pre-operational Pha
Page 95 and 96:
8.1.5.1.1 Distribution of Static Pu
Page 97 and 98:
March, 2007 and then provide eviden
Page 99 and 100:
March, 2007 listed in Section 8.1.5
Page 101 and 102:
March, 2007 encrypting key or publi
Page 103 and 104:
March, 2007 8.1.5.3.5 Intermediate
Page 105 and 106:
March, 2007 of keying material and
Page 107 and 108:
March, 2007 2. The application in w
Page 109 and 110:
March, 2007 and the key derivation
Page 111 and 112:
March, 2007 Type of Key Archive? Re
Page 113 and 114:
March, 2007 All records of the enti
Page 115 and 116:
March, 2007 other cryptographic inf
Page 117 and 118:
March, 2007 access to information e
Page 119 and 120:
March, 2007 1. Private key used to
Page 121 and 122:
March, 2007 10.2 Content of the Key
Page 123 and 124:
March, 2007 Management Specificatio
Page 125 and 126:
March, 2007 is the same value as th
Page 127 and 128:
March, 2007 If the decision is made
Page 129 and 130:
March, 2007 only, and then shall be
Page 131 and 132:
March, 2007 may be stored in backup
Page 133 and 134:
March, 2007 and the method of key r
Page 135 and 136:
March, 2007 ephemeral key pairs, an
Page 137 and 138:
B.3.14.7 Key Control Information Ma
Page 139 and 140:
March, 2007 to be saved. Keys for t
Page 141 and 142:
[HAC] Handbook of Applied Cryptogra
Page 143:
March, 2007 the owner by the CA tha
show all

Part 1: General - Computer Security Resource Center - National ...

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?