Part 1: General - Computer Security Resource Center - National ...
Part 1: General - Computer Security Resource Center - National ...
Part 1: General - Computer Security Resource Center - National ...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
March, 2007<br />
8.1 Pre-operational Phase<br />
During the pre-operational phase of key management, keying material is not yet available for<br />
normal cryptographic operations.<br />
8.1.1 User Registration Function<br />
During user registration, an entity interacts with a registration authority to become an authorized<br />
member of a security domain. In this phase, a user identifier or device name may be established<br />
to identify the member during future transactions. In particular, security infrastructures may<br />
associate the identification information with the entity’s keys (see Sections 8.1.5 and 8.1.6). The<br />
entity may also establish various attributes during the registration function, such as email<br />
addresses or role/authorization information. As with identity information, these attributes may be<br />
associated with the entity’s keys by the infrastructure to support secure application-level security<br />
services.<br />
Since applications will depend upon the identity established during this process, it is crucial that<br />
the registration authority establish appropriate procedures for the validation of identity. Identity<br />
may be established through an in-person appearance at a registration authority, or may be<br />
established entirely out-of-band. The strength (or weakness) of a security infrastructure will<br />
often depend upon the identification process.<br />
User and key registration (see Section 8.1.6) may be performed separately, or in concert. If<br />
performed separately, the user registration process will generally establish a secret value (e.g., a<br />
password, PIN, or HMAC key); the secret value may be used to authenticate the user during the<br />
key registration step. If performed in concert, the user establishes an identity and performs key<br />
registration in the same process, so the secret value is not required.<br />
8.1.2 System Initialization Function<br />
System initialization involves setting up or configuring a system for secure operation. This may<br />
include algorithm preferences, the identification of trusted parties, and the definition of domain<br />
parameter policies and any trusted parameters (e.g., recognized certificate policies).<br />
8.1.3 User Initialization Function<br />
User initialization consists of an entity initializing its cryptographic application (e.g., installing<br />
and initializing software or hardware). This involves the use or installation (see Section 8.1.4) of<br />
the initial keying material that may be obtained during user registration. Examples include the<br />
installation of a key at a CA, trust parameters, policies, trusted parties, and algorithm<br />
preferences.<br />
8.1.4 Keying Material Installation Function<br />
The security of keying material installation is crucial to the security of a system. For this<br />
function, keying material is installed for operational use within an entity’s software, hardware,<br />
system, application, cryptomodule, or device using a variety of techniques. Keying material is<br />
installed when the software, hardware, system, application, cryptomodule, or device is initially<br />
set up, when new keying material is added to the existing keying material, and when existing<br />
keying material is replaced (via re-keying, key update, or key derivation - see Section 8.2.3 and<br />
Section 8.2.4).<br />
92