Part 1: General - Computer Security Resource Center - National ...
Part 1: General - Computer Security Resource Center - National ...
Part 1: General - Computer Security Resource Center - National ...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
March, 2007<br />
10.2 Content of the Key Management Specification<br />
The level of detail required for each section of the Key Management Specification can be<br />
tailored, depending upon the complexity of the device or application for which the Key<br />
Management Specification is being written. The Key Management Specification should contain<br />
a title page that includes the device identifier, and the developer’s or integrator’s identifier. A<br />
revision page, list of reference documents, table of contents, and definition of abbreviations and<br />
acronyms page should also normally be included. The terminology used in a Key Management<br />
Specification shall be in accordance with the terms defined in appropriate NIST standards and<br />
guidelines. Unless the information is tightly controlled, the Key Management Specification<br />
should not contain proprietary or sensitive information. The Key Management Specification<br />
should not contain proprietary information. [Note: If the cryptographic application is supported<br />
by a PKI, a statement to that effect should be included in the appropriate Key Management<br />
Specification sections below.]<br />
10.2.1 Cryptographic Application<br />
The Cryptographic Application section provides a basis for the development of the rest of the<br />
Key Management Specification. The Cryptographic Application section provides a brief<br />
description of the cryptographic application or proposed employment of the cryptographic<br />
device. This includes the purpose or use of the cryptographic device (or application of a<br />
cryptographic device), and whether it is a new cryptographic device, a modification of an<br />
existing cryptographic device, or an existing cryptographic device for which a Key Management<br />
Specification does not exist. A brief description of the security services (confidentiality,<br />
integrity, non-repudiation, access control, identification and authentication, and availability) that<br />
the cryptographic device/application provides should be included. Information concerning longterm<br />
and potential interim key management support (key management components) for the<br />
cryptographic application should be provided.<br />
10.2.2 Communications Environment<br />
The Communications Environment section provides a brief description of the communications<br />
environment in which the cryptographic device is designed to operate. Some examples of<br />
communications environments include:<br />
1. Data networks (intranet, internet, VPN),<br />
2. Wired communications (landline, dedicated or shared switching resources), and<br />
3. Wireless communications (satellite, radio frequency).<br />
The environment may also include any anticipated access controls on communications resources,<br />
data sensitivity, privacy issues, non-repudiation requirements, etc.<br />
10.2.3 Key Management Component Requirements<br />
The key management component requirements section describes the types and logical structure<br />
of keying material required for operation of the cryptographic device. Cryptographic applications<br />
using public key certificates (i.e., X.509 certificates) should describe the types of certificates<br />
supported. The following information should be included:<br />
1. The different keying material classes or types required, supported, and/or generated (e.g.,<br />
for PKI: CA, signature, key establishment, and authentication);<br />
120