Part 1: General - Computer Security Resource Center - National ...
Part 1: General - Computer Security Resource Center - National ...
Part 1: General - Computer Security Resource Center - National ...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
March, 2007<br />
c. Restricting plaintext symmetric and private keys to physically protected containers. This<br />
includes key generators, key transport devices, key loaders, cryptographic modules, and<br />
key storage devices.<br />
d. Using integrity checks to assure that the integrity of a key or its association with other<br />
data has not been compromised. For example, keys may be wrapped (i.e., encrypted) in<br />
such a manner that unauthorized modifications to the wrapping or to the associations will<br />
be detected.<br />
e. Employing key confirmation (see Section 4.2.5.5) to help ensure that the proper key was,<br />
in fact, established.<br />
f. Establishing an accountability system that keeps track of each access to symmetric and<br />
private keys in plaintext form.<br />
g. Providing a cryptographic integrity check on the key (e.g., a MAC or a digital signature).<br />
h. The use of trusted time stamps for signed data.<br />
i. Destroying keys as soon as they are no longer needed.<br />
The worst form of key compromise is one that is not detected. Nevertheless, even in this case,<br />
certain protective measures can be taken. Key management systems (KMS) should be designed<br />
to mitigate the negative effects of a key compromise. A KMS should be designed so that the<br />
compromise of a single key compromises as few other keys as possible. For example, a single<br />
cryptographic key could be used to protect the data of only a single user or a limited number of<br />
users, rather than a large number of users. Often, systems have alternative methods to<br />
authenticate communicating entities that do not rely solely on the possession of keys. The object<br />
is to avoid building a system with catastrophic weaknesses.<br />
A compromise recovery plan is essential for restoring cryptographic security services in the<br />
event of a key compromise. A compromise recovery plan shall be documented and easily<br />
accessible. The plan may be included in the Key Management Practices Statement (see <strong>Part</strong> 2). If<br />
not, the Key Management Practices Statement should reference the compromise recovery plan.<br />
Although compromise recovery is primarily a local action, the repercussions of a compromised<br />
key are shared by the entire community that uses the system or equipment. Therefore,<br />
compromise recovery procedures should include the community at large. For example, recovery<br />
from the compromise of a root CA’s private signature key requires that all users of the<br />
infrastructure obtain and install a new trust anchor. Typically, this involves physical procedures<br />
that are expensive to implement. To avoid these expensive procedures, elaborate precautions to<br />
avoid compromise may be justified.<br />
The compromise recovery plan should contain:<br />
1. The identification of the personnel to notify,<br />
2. The identification of the personnel to perform the recovery actions,<br />
3. The re-key method, and<br />
4. Any other recovery procedures.<br />
Other compromise recovery procedures may include:<br />
5. Physical inspection of the equipment,<br />
60