Part 1: General - Computer Security Resource Center - National ...
Part 1: General - Computer Security Resource Center - National ...
Part 1: General - Computer Security Resource Center - National ...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
6.2.1.5 Association with Other Entities<br />
March, 2007<br />
The association of keying material with the appropriate entity (e.g., the key source) shall be<br />
either specifically identified during the distribution process (e.g., using public key certificates) or<br />
be implicitly defined by the use of the application. See Section 6.2.3 for guidance on labeling.<br />
6.2.1.6 Association with Other Related Information<br />
Any association with other related information (e.g., domain parameters, the<br />
encryption/decryption key or IVs) shall be either specifically identified during the distribution<br />
process or be implicitly defined by the use of the application. See Section 6.2.3 for guidance on<br />
labeling.<br />
6.2.2 Protection Mechanisms for Information in Storage<br />
Cryptographic information that is not in transit is at rest in some device or storage media. This<br />
may include copies of the information that is also in transit. This information shall be protected<br />
in accordance with Section 6.1. A variety of protection mechanisms may be used.<br />
The cryptographic information may be stored so as to be immediately available to an application<br />
(e.g., on a local hard disk or a server); this would be typical for keying material stored within the<br />
cryptographic module or in immediately accessible storage (e.g., on a local hard drive). The<br />
keying material may also be stored in electronic form on a removable media (e.g., a CD-ROM),<br />
in a remotely accessible location, or in hard copy form and placed in a safe; this would be typical<br />
for backup or archive storage.<br />
6.2.2.1 Availability<br />
Cryptographic information may need to be readily available for as long as data is protected by<br />
the information. A common method for providing this protection is to make one or more copies<br />
of the cryptographic information and store them in separate locations. During a key’s<br />
cryptoperiod, keying material requiring long-term availability should be stored in both normal<br />
operational storage (see Section 8.2.1) and in backup storage (see Section 8.2.2.1).<br />
Cryptographic information that is retained after the end of a key’s cryptoperiod should be placed<br />
in archive storage (see Section 8.3.1). This recommendation does not preclude the use of the<br />
same storage media for both backup and archive storage.<br />
Specifics on the long-term availability requirement for each key type are addressed for backup<br />
storage in Section 8.2.2.1, and for archive storage in Section 8.3.1.<br />
The recovery of this cryptographic information for use in replacing cryptographic information<br />
that is lost (e.g., from normal storage), or in performing cryptographic operations after the end of<br />
a key’s cryptoperiod is discussed in Sections 8.2.2.2 (recovery) and 8.3.1 (archive), and in<br />
Appendix B.<br />
6.2.2.2 Integrity<br />
Integrity protection is concerned with ensuring that the information is correct. Absolute<br />
protection against modification is not possible. The best that can be done is to use reasonable<br />
measures to prevent modifications, to use methods to detect (with a very high probability) any<br />
modifications that occur, and to restore the information to its original content when<br />
modifications have been detected.<br />
81