Part 1: General - Computer Security Resource Center - National ...
Part 1: General - Computer Security Resource Center - National ...
Part 1: General - Computer Security Resource Center - National ...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
March, 2007<br />
recomputed. This imposes a significant burden; therefore, the strength of the cryptographic<br />
algorithm shall be selected so as to minimize the need for re-encryption.<br />
Likewise, integrity protection may be provided by an archive integrity key (one or more<br />
authentication or digital signature keys that are used exclusively for the archive) or by another<br />
key that has been archived. If integrity protection is to be maintained at the end of the<br />
cryptoperiod of the archive integrity key, new integrity values shall be computed on the<br />
archived information on which the old archive integrity key was applied.<br />
The archive keys may be either symmetric keys or public key pairs. Unless the cryptographic<br />
algorithm is specifically designed to provide both integrity and confidentiality with a single key,<br />
the keys used for confidentiality and integrity shall be different, and shall be protected in the<br />
same manner as their key type (see Section 6).<br />
Tables 9 and 10 indicate the appropriateness of archiving keys and other cryptographic related<br />
information. An “OK” in column 2 (Archive?) indicates that archival is permissible, but not<br />
necessarily required. Column 3 (Retention period) indicates the minimum time that the key<br />
should be retained in the archive. Additional advice on the storage of keying material in archive<br />
storage is provided in Appendix B.3.<br />
Table 9: Archive of keys<br />
Type of Key Archive? Retention period (minimum)<br />
Private signature key No<br />
Public signature verification OK Until no longer required to verify data<br />
key<br />
signed with the assoc. private key<br />
Symmetric authentication key OK Until no longer needed to authenticate data.<br />
Private authentication key No<br />
Public authentication key OK Until no longer required to verify the<br />
authenticity of data that was authenticated<br />
with the assoc. private key<br />
Symmetric data encryption<br />
key<br />
OK Until no longer needed to decrypt data<br />
encrypted by this key<br />
Symmetric key wrapping key OK Until no longer needed to decrypt keys<br />
encrypted by this key<br />
Symmetric random number<br />
generator key<br />
No<br />
Symmetric master key OK, if needed<br />
to derive other<br />
keys for<br />
archived data<br />
109<br />
Until no longer needed to derive other keys