Part 1: General - Computer Security Resource Center - National ...
Part 1: General - Computer Security Resource Center - National ...
Part 1: General - Computer Security Resource Center - National ...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
March, 2007<br />
All records of the entity and the entity's associations shall be marked to indicate that the entity is<br />
no longer a member of the security domain, but the records should not be deleted. To reduce<br />
confusion and unavoidable human errors, identification information associated with the deregistered<br />
entity should not be re-used (at least for a period of time). For example, if a “John<br />
Wilson” retires and is de-registered on Friday, the identification information assigned to his son<br />
“John Wilson”, who is hired the following Monday, should be different.<br />
8.3.3 Key De-registration Function<br />
Registered keying material may be associated with the identity of a key owner, owner attributes<br />
(e.g., email address), or role or authorization information. When the keying material is no longer<br />
needed, or the associated information becomes invalid, the keying material should be deregistered<br />
(i.e., all records of the keying material and its associations should be marked to<br />
indicate that the key is no longer in use).<br />
When a cryptographic key is compromised, that key and any associated keying material should<br />
be de-registered. In a PKI, key de-registration is commonly achieved by including the certificate<br />
in a list of revoked certificates (i.e., a CRL). Where the PKI uses online status mechanisms (e.g.,<br />
the Online Certificate Status Protocol [RFC2560]), de-registration is achieved by informing the<br />
appropriate certificate status server(s). For example, when a private key is compromised, the<br />
corresponding public key certificate should be revoked. Certificate revocation because of a key<br />
compromise indicates that the binding between the owner and the key is no longer to be trusted.<br />
Keying material should be de-registered when the attributes associated with an entity are<br />
modified. For example, if an entity's email address is associated with a public key, and the<br />
entity's address changes, the keying material should be de-registered to indicate that the<br />
associated attributes have become invalid. Unlike the case of key compromise, the entity could<br />
safely re-register the public key after modifying the entity's attributes through the user<br />
registration process (see Section 8.1.1).<br />
8.3.4 Key Destruction Function<br />
When copies of cryptographic keys are made, care should be taken to provide for their eventual<br />
destruction. All copies of the private or symmetric key shall be destroyed as soon as no longer<br />
required (e.g., for archival or reconstruction activity) in order to minimize the risk of a<br />
compromise. Any media on which unencrypted keying material requiring confidentiality<br />
protection is stored shall be erased in a manner that removes all traces of the keying material so<br />
that it cannot be recovered by either physical or electronic means 30 . Public keys may be retained<br />
or destroyed, as desired.<br />
8.3.5 Key Revocation Function<br />
It is sometimes necessary to remove keying material from use prior to the end of its normal<br />
cryptoperiod for reasons that include key compromise, removal of an entity from an<br />
organization, etc. This process is known as key revocation and is used to explicitly revoke a<br />
30 A simple deletion of the keying material might not completely obliterate the information. For example, erasing the<br />
information might require overwriting that information multiple times with other non-related information, such as<br />
random bits, or all zero or one bits. Keys stored in memory for a long time can become “burned in”. This can be<br />
mitigated by splitting the key into components that are frequently updated (see [DiCrescenzo]).<br />
112