Part 1: General - Computer Security Resource Center - National ...
Part 1: General - Computer Security Resource Center - National ...
Part 1: General - Computer Security Resource Center - National ...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
March, 2007<br />
8 Key Management Phases and Functions<br />
The cryptographic key management life cycle can be divided into four phases. During each<br />
phase, the keys may be in certain specific states as defined in Section 7. In addition, within each<br />
phase, certain key management functions are typically performed. These functions are necessary<br />
for the management of the keys and their associated attributes.<br />
Key management information is characterized by attributes. The attributes required for key<br />
management might include the identity of a person or system associated with that key or the<br />
types of information that person is authorized to access. Attributes are leveraged by applications<br />
to select the appropriate cryptographic key(s) for a particular service. While these attributes do<br />
not appear in cryptographic algorithms, they are crucial to the implementation of applications<br />
and application protocols.<br />
The four phases of key management are specified below.<br />
1. Pre-operational phase: The keying material is not yet available for normal<br />
cryptographic operations. Keys may not yet be generated, or may be in the pre-activation<br />
state. System or enterprise attributes are established during this phase as well.<br />
2. Operational phase: The keying material is available and in normal use. Keys are in the<br />
active state. Keys may be designated as protect only, process only, or protect and process.<br />
3. Post-operational phase: The keying material is no longer in normal use, but access to<br />
the keying material is possible and the keying material may be used for process only in<br />
certain circumstances. Keys are in the deactivated or compromised states. Keys in the<br />
post-operational phase are archived (see section 8.3.1) when not processing data.<br />
4. Destroyed phase: Keys are no longer available. All records of their existence may have<br />
been deleted. Keys are in the destroyed or destroyed compromised states. Although the<br />
keys themselves are destroyed, the key attributes (e.g., key name, type, cryptoperiod, and<br />
usage period) may be retained (see Section 8.4).<br />
A flow diagram for the key management phases is presented as Figure 4. Seven phase transitions<br />
are identified in the diagram. A key shall not be able to transfer back to any previous phase.<br />
89