Part 1: General - Computer Security Resource Center - National ...
Part 1: General - Computer Security Resource Center - National ...
Part 1: General - Computer Security Resource Center - National ...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
March, 2007<br />
Overview<br />
The proper management of cryptographic keys is essential to the effective use of cryptography<br />
for security. Keys are analogous to the combination of a safe. If a safe combination becomes<br />
known to an adversary, the strongest safe provides no security against penetration. Similarly,<br />
poor key management may easily compromise strong algorithms. Ultimately, the security of<br />
information protected by cryptography directly depends on the strength of the keys, the<br />
effectiveness of mechanisms and protocols associated with keys, and the protection afforded to<br />
the keys. All keys need to be protected against modification, and secret and private keys need to<br />
be protected against unauthorized disclosure. Key management provides the foundation for the<br />
secure generation, storage, distribution, and destruction of keys.<br />
Users and developers are presented with many choices in their use of cryptographic mechanisms.<br />
Inappropriate choices may result in an illusion of security, but little or no real security for the<br />
protocol or application. This recommendation (i.e., SP 800-57) provides background information<br />
and establishes frameworks to support appropriate decisions when selecting and using<br />
cryptographic mechanisms.<br />
This recommendation does not address implementation details for cryptographic modules that<br />
may be used to achieve the security requirements identified. These details are addressed in<br />
[FIPS140-2] and the derived test requirements (available at http://csrc.nist.gov/cryptval/).<br />
This recommendation is written for several different audiences and is divided into three parts.<br />
<strong>Part</strong> 1, <strong>General</strong>, contains basic key management guidance. It is intended to advise developers<br />
and system administrators on the "best practices" associated with key management.<br />
Cryptographic module developers may benefit from this general guidance by obtaining a greater<br />
understanding of the key management features that are required to support specific intended<br />
ranges of applications. Protocol developers may identify key management characteristics<br />
associated with specific suites of algorithms and gain a greater understanding of the security<br />
services provided by those algorithms. System administrators may use this document to<br />
determine which configuration settings are most appropriate for their information. <strong>Part</strong> 1 of the<br />
recommendation:<br />
1. Defines the security services that may be provided and key types employed in using<br />
cryptographic mechanisms.<br />
2. Provides background information regarding the cryptographic algorithms that use<br />
cryptographic keying material.<br />
3. Classifies the different types of keys and other cryptographic information according to<br />
their functions, specifies the protection that each type of information requires and<br />
identifies methods for providing this protection.<br />
4. Identifies the states in which a cryptographic key may exist during its lifetime.<br />
5. Identifies the multitude of functions involved in key management.<br />
6. Discusses a variety of key management issues related to the keying material. Topics<br />
discussed include key usage, cryptoperiod length, domain parameter validation, public<br />
5