Part 1: General - Computer Security Resource Center - National ...
Part 1: General - Computer Security Resource Center - National ...
Part 1: General - Computer Security Resource Center - National ...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
March, 2007<br />
All cryptographic information requires integrity protection. Integrity shall be provided by<br />
physical mechanisms, cryptographic mechanisms or both.<br />
Physical mechanisms include:<br />
1. A validated cryptographic module or operating system that limits access to the stored<br />
information,<br />
2. A computer system or media that is not connected to other systems,<br />
3. A physically secure environment that is outside a computer system (e.g., in a safe with<br />
limited access) with appropriate access controls.<br />
Cryptographic mechanisms include:<br />
a. A cryptographic integrity mechanism (e.g., MAC or digital signature) that is computed<br />
on the information and is later used to verify the integrity of the stored information.<br />
b. Performing the intended cryptographic operation. If the received information is incorrect,<br />
it is possible that the keying material may have been corrupted.<br />
If the cryptographic information needs to be restored when an error is detected, multiple copies<br />
of the information should be maintained in physically separate locations (i.e., in backup or<br />
archive storage; see Sections 8.2.2.1 and 8.3.1). The integrity of each copy should be<br />
periodically checked.<br />
6.2.2.3 Confidentiality<br />
One of the following mechanisms shall be used to provide confidentiality for private or secret<br />
keying material in storage:<br />
1. Encryption with an Approved algorithm in a FIPS 140-2 cryptographic module. It<br />
shall be no easier to recover the key encrypting key than it is to recover the key being<br />
encrypted,<br />
-OR-<br />
2. Physical protection provided either by a FIPS 140-2 (level 2 or higher) cryptographic<br />
module,<br />
-OR-<br />
3. By secure storage (e.g., safe or protected area) with controlled access.<br />
6.2.2.4 Association with Usage or Application<br />
Cryptographic information is used with a given cryptographic mechanism (e.g., digital signatures<br />
or key establishment) or with a particular application. Protection shall be provided to ensure that<br />
the information is not used incorrectly (e.g., not only must the usage or application be associated<br />
with the keying material, but the integrity of this association must be maintained). This<br />
protection can be provided by separating the cryptographic information from that of other<br />
mechanisms or applications, or by appropriate labeling of the information. Section 6.2.3<br />
addresses the labeling of cryptographic information.<br />
82