Part 1: General - Computer Security Resource Center - National ...
Part 1: General - Computer Security Resource Center - National ...
Part 1: General - Computer Security Resource Center - National ...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Table 10: Archive of other cryptographic related information<br />
March, 2007<br />
Type of Key Archive? Retention period (minimum)<br />
Domain parameters OK Until all keying material, signatures and<br />
signed data using the domain parameters are<br />
removed from the archive<br />
Initialization vector OK; normally<br />
stored with the<br />
protected<br />
information<br />
Shared secret No<br />
RNG seed No<br />
Until no longer needed to process the<br />
protected data<br />
Other public information OK Until no longer needed to process data using<br />
the public information<br />
Intermediate result No<br />
Key control information (e.g.,<br />
IDs, purpose)<br />
Random number No<br />
Password No, unless used<br />
to detect the<br />
reuse of old<br />
passwords<br />
OK Until the associated key is removed from<br />
the archive<br />
Until no longer needed to detect password<br />
reuse<br />
Audit information OK Until no longer needed<br />
After the end of a key’s cryptoperiod, keying material may be recovered from archival storage,<br />
providing that the keying material has been archived. Alternatively, the keying material may be<br />
reconstructed (e.g., re-derived), if the key management system has been appropriately designed.<br />
Key recovery of archived keying material may be required to remove (e.g., decrypt) or check<br />
(e.g., verify a digital signature or a MAC) the cryptographic protections on archived data. The<br />
key recovery process results in retrieving the desired keying material from archive storage in<br />
order to perform the required cryptographic operation. Immediately after completing this<br />
operation, the keying material shall be erased from the cryptographic process but still exists in<br />
the archive (see Section 8.3.4). Further advice on key recovery issues is provided in Appendix B.<br />
8.3.2 Entity De-registration Function<br />
The entity de-registration function removes the authorizations of an entity to participate in a<br />
security domain. When an entity ceases to be a member of a security domain, the entity shall be<br />
de-registered. De-registration is intended to prevent other entities from relying on or using the<br />
de-registered entity's keying material.<br />
111