Part 1: General - Computer Security Resource Center - National ...

March, 2007
minimum key size 7 of 160 bits. ECDSA produces digital signatures that are twice the length of
the key size. Recommended elliptic curves are provided in [FIPS186-3].
4.2.5 Key Establishment Schemes
Key establishment schemes are used to set up keys to be used between communicating entities.
Two types of key establishment are defined: key transport and key agreement. Approved key
establishment schemes are provided in [SP800-56].
Key transport is the distribution of a key (and other keying material) from one entity to another
entity. The keying material is usually encrypted by the sending entity and decrypted by the
receiving entity(ies). If a symmetric algorithm (e.g., AES key wrap) is used to encrypt the keying
material to be distributed, the sending and receiving entities need to know the symmetric key
wrapping key (i.e., key encrypting key). If a public key algorithm is used to distribute the keying
material, a key pair is used as the key encrypting key; in this case, the sending entity encrypts the
keying material using the receiving entity’s public key; the receiving entity decrypts the received
keying material using the associated private key.
Key agreement is the participation by both entities (i.e., the sending and receiving entities) in the
creation of shared keying material. This may be accomplished using either asymmetric (public
key) or symmetric key techniques. If an asymmetric algorithm is used, each entity has either a
static key pair or an ephemeral key pair or both. If a symmetric algorithm is used, each entity
shares the same symmetric key wrapping key.
[SP800-56] adopts selected key establishment schemes defined in ANSI standards that use public
key algorithms: [ANSX9.42], and [ANSX9.63]. [ANSX9.42] specifies key agreement schemes
and [ANSX9.63] specify both key agreement and key transport schemes.
With the key establishment schemes specified in [SP800-56], a party may own no keys, an
ephemeral key, a static key, or both an ephemeral and a static key. The ephemeral key is used to
introduce a new secret from one key establishment to another, while the static key (if used in a
PKI with public key certificates) provides for the authentication of the owner. [SP800-56]
characterizes each scheme into a class depending upon how many ephemeral and static keys are
used. Each scheme class has its corresponding security properties. Cryptographic protocol
designers must understand the security properties of the schemes in order to assure that the
desired capabilities are available to the user. In general, schemes where each party uses both an
ephemeral and a static key provide more security properties than schemes using fewer keys.
However, it may not be practical for both parties to use both static and ephemeral keys in certain
applications. For example, in email applications, it is desirable to send messages to other parties
who are not on-line. In this case we cannot expect the receiver to use an ephemeral key to
establish the message encrypting key.
4.2.5.1 Discrete Log Key Agreement Schemes Using Finite Field Arithmetic
Key agreement schemes based on the intractability of the discrete logarithm problem and using
finite field arithmetic have been adopted in [SP800-56] from [ANSX9.42]. [SP800-56] has
adopted seven of the eight schemes defined in [ANSX9.42]. Each scheme provides a different
7 For elliptic curves, the key size is the length f of the order n of the base point G of the chosen elliptic curve.
38