Part 1: General - Computer Security Resource Center - National ...
Part 1: General - Computer Security Resource Center - National ...
Part 1: General - Computer Security Resource Center - National ...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
March, 2007<br />
ephemeral key pairs, and when used, not all entities have an ephemeral key pair (see [SP800-<br />
56]).<br />
B.3.11.1 Private Ephemeral Keys<br />
Private ephemeral keys shall not 34 be backed up or archived. If the private ephemeral key is lost<br />
or corrupted, a new key pair shall be generated, and the new public ephemeral key shall be<br />
provided to the other participating entity in the key agreement process.<br />
B.3.11.2 Public Ephemeral Keys<br />
Public ephemeral keys may be backed up or archived if they are required for reconstruction of<br />
the established keying material, and the private ephemeral keys are not required in the key<br />
agreement computation.<br />
B.3.12 Symmetric Authorization Keys<br />
Symmetric authorization keys are used to provide privileges to an entity (e.g., access to certain<br />
information or authorization to perform certain functions). Loss of these keys will deny the<br />
privileges (e.g., prohibit access and disallow performance of these functions). If the authorization<br />
key is lost or corrupted and can be replaced in a timely fashion, then the authorization key need<br />
not be backed up. A symmetric authorization key shall not be archived.<br />
B.3.13 Authorization Key Pairs<br />
Authorization key pairs are used to provide privileges to an entity. The private key is used to<br />
establish the "right" to the privilege; the public key is used to determine that the entity actually<br />
has the right to the privilege.<br />
B.3.13.1 Private Authorization Keys<br />
Loss of the private authorization key will deny the privileges (e.g., prohibit access and disallow<br />
performance of these functions). If the private key is lost or corrupted and can be replaced in a<br />
timely fashion, then the private key need not be backed up. Otherwise, the private key should be<br />
backed up. The private key shall not be archived, since the privilege will not be granted after the<br />
end of the cryptoperiod unless a new authorization key pair is provided.<br />
B.3.13.2 Public Authorization Keys<br />
If the authorization key pair can be replaced in a timely fashion (i.e., regeneration of the key pair<br />
and secure distribution of the private key to the entity seeking authorization), then the public<br />
authorization key need not be backed up. Otherwise, the public key should be backed up. The<br />
archive of the public key is not appropriate.<br />
B.3.14 Other Cryptographically Related Material<br />
Like keys, other cryptographically related material may need to be backed up or archived,<br />
depending on use.<br />
34 SP 800-56 states that the private ephemeral keys shall be destroyed immediately after use. This implies that the<br />
private ephemeral keys shall not be backed up or archived.<br />
134