Part 1: General - Computer Security Resource Center - National ...

More documents

Recommendations

Info

March, 2007 anchors. Trust anchor distribution through software installation does not require that the relying party be a direct participant in the infrastructure. The user must trust the software distribution mechanism to avoid installation of malicious code. Extending this trust to cover trust anchors for that application may be reasonable, and allows the relying party to obtain trust anchors without any additional procedures. Where a user registers keys with the infrastructure, additional mechanisms are usually available. The user interacts securely with the infrastructure to register its keys (e.g., to obtain certificates), and these interactions may be extended to provide trust anchor information. This allows the user to establish trust anchor information with approximately the same assurance that the infrastructure has in the user’s keys. In the case of a PKI: 1. The initial distribution of the public key of a trust anchor should be performed in conjunction with the presentation of a requesting entity's public key to a registration authority (RA) or CA during the certificate request process. In general, the trust anchor's public key, associated parameters, key use, and assurance of possession are conveyed as a self-signed X.509 public key certificate. The certificate is digitally signed by the private key that corresponds to the public key within the certificate. While parameters and assurance of possession may be conveyed in the self-signed certificate, the trust anchor's identity and other information cannot be verified from the self-signed certificate itself (see item 2 below). 2. The trusted process used to convey a requesting entity's public key and assurances to the RA or CA shall also protect the trust anchor information conveyed to the requesting entity. In cases where the requesting entity appears in person, the trust anchor information may be provided at that time. If a secret value has been established during user registration (see Section 8.1.1), the trust anchor information may be supplied with the requesting entity’s certificate. 8.1.5.1.1.2 Submission to a Registration Authority or Certification Authority Public keys may be provided to a Certification Authority (CA) or to a registration authority (RA) for subsequent certification by a CA. During this process, the RA or CA shall obtain the assurances listed in Section 8.1.5.1.1 from the owner of the key or an authorized representative (e.g., the firewall administrator), including the owner’s identity. In general, the owner of the key is identified in terms of an identifier established during user registration (see Section 8.1.1). The key owner identifies the appropriate uses for the key, along with the parameters and any assurances of validity and possession. In cases where anonymous ownership of the public key is acceptable, the owner or the registration authority generates a pseudonym to be used as the identifier. The identifier shall be unique for the naming authority. Proof of Possession (POP) is a mechanism that is commonly used by a CA to obtain assurance of possession during key registration. In this case, the proof shall be provided by the reputed owner of the key pair. Without assurance of possession, it would be possible for the CA to bind the public key to the wrong entity. The (reputed) owner should provide POP by performing operations with the private key that satisfy the indicated key use. For example, if a key pair is intended to support key transport, the owner may decrypt a key provided to the owner by the CA that is encrypted using the owner's public key. If the owner can correctly decrypt the ciphertext key using the associated private key 95
March, 2007 and then provide evidence that the key was correctly decrypted (e.g., by encrypting a random challenge from the CA, then the owner has established POP. However, when a key pair is intended to support key establishment, POP may also be afforded by using the private key to digitally sign the certificate request (although this is not the preferred method). The key establishment private key shall not be used to perform signature operations after certificate issuance. As with user registration, the strength of the security infrastructure depends upon the methods used for distributing the key to an RA or CA. There are many different methods, each appropriate for some range of applications. Some examples of common methods are: 1. The public key and the information identified in Section 8.1.5.1.1 is provided by the public key owner in person, or by an authorized representative of the public key owner. 2. The identity of the public key owner is established at the RA or CA in person or by an authorized representative of the public key owner during user registration. Unique, unpredictable information (e.g., an authenticator or cryptographic key) is provided at this time by the RA or CA to the owner as a secret value. The public key and the information identified in Section 8.1.5.1.1 is provided to the RA or CA using a communication protocol protected by the secret value. The secret value should be destroyed by the key owner as specified in Section 8.3.4 upon receiving confirmation that the certificate has been successfully generated. The RA or CA may maintain this secret value for auditing purposes, but the RA or CA should not accept further use of the secret value to prove identity. When a specific list of public key owners are pre-authorized to register keys, identifiers may be generated in bulk. In this case, it is critical to protect the secret value from disclosure, and the procedures must demonstrate that the chain of custody was maintained. The secret value’s lifetime should be limited, but must allow for the public key owner to appear at the RA or CA, generate their keys, and provide the public key (under the secret value’s protection) to the RA or CA. Since it may take some time for the public key owner to appear at the RA or CA, a two or three week lifetime is probably reasonable. When public key owners are not pre-authorized, the RA or CA shall generate the identifier in the user’s presence. In this case, the time limit may be much more restrictive, since the public key owner need only generate their keys and provide the public key to the CA or RA. In this case, a 24-hour lifetime for the secret value would be reasonable. 3. The identity of the public key owner is established at the RA or CA using a previous determination of the public key owner’s identity. This is accomplished by “chaining” a new public key certificate request to a previously certified digital signature key pair. For example, the request for a new public key certificate is signed by the owner of the new public key to be certified. The signing private key used to sign the request should be associated with a verification public key that is certified by the same CA that will certify the new public key. The request contains the new public key and any key related information (e.g., key use and parameters). In addition, the CA shall obtain assurance of public key validity and assurance that the owner possesses the associated private key. 96
Page 1 and 2:
ARCHIVED PUBLICATION The attached p
Page 3 and 4:
Abstract March, 2007 This Recommend
Page 5 and 6:
Authority March, 2007 This document
Page 7 and 8:
March, 2007 key validation, account
Page 9 and 10:
March, 2007 4.2.4.1 DSA............
Page 11 and 12:
March, 2007 8 KEY MANAGEMENT PHASES
Page 13 and 14:
March, 2007 10.2.9 Compromise Manag
Page 15 and 16:
March, 2007 Figure 3: Key states an
Page 17 and 18:
March, 2007 1.2 Audience The audien
Page 19 and 20:
March, 2007 1. Section 1, Introduct
Page 21 and 22:
March, 2007 Backup A copy of inform
Page 23 and 24:
March, 2007 Digital signature The r
Page 25 and 26:
Key Management Policy Key Managemen
Page 27 and 28:
Proof of possession (POP) Pseudoran
Page 29 and 30:
March, 2007 Split knowledge A proce
Page 31 and 32:
March, 2007 3 Security Services Cry
Page 33 and 34:
March, 2007 However, it is often th
Page 35 and 36:
March, 2007 4 Cryptographic Algorit
Page 37 and 38:
March, 2007 operates on blocks (chu
Page 39 and 40:
March, 2007 minimum key size 7 of 1
Page 41 and 42:
March, 2007 2. The protocols trigge
Page 43 and 44:
March, 2007 7. Symmetric key wrappi
Page 45 and 46: March, 2007 9. Random numbers: The
Page 47 and 48: March, 2007 In general, where stron
Page 49 and 50: March, 2007 a. When a symmetric key
Page 51 and 52: March, 2007 information. For less s
Page 53 and 54: 8. Symmetric and Asymmetric RNG key
Page 55 and 56: 15. Private ephemeral key agreement
Page 57 and 58: Key Type 12. Symmetric Key Agreemen
Page 59 and 60: March, 2007 establishment keys, see
Page 61 and 62: March, 2007 c. Restricting plaintex
Page 63 and 64: March, 2007 algorithms completely i
Page 65 and 66: March, 2007 Table 3: Hash function
Page 67 and 68: Table 4: Recommended algorithms and
Page 69 and 70: March, 2007 size is available, the
Page 71 and 72: Security life of data up to 4 years
Page 73 and 74: March, 2007 6 Protection Requiremen
Page 75 and 76: Table 5: Protection requirements fo
Page 77 and 78: Key Type Security Service Private e
Page 79 and 80: March, 2007 Crypto. Security Securi
Page 81 and 82: March, 2007 may be applied only to
Page 83 and 84: March, 2007 All cryptographic infor
Page 85 and 86: March, 2007 8. Domain parameters (e
Page 87 and 88: March, 2007 6. Destroyed Compromise
Page 89 and 90: March, 2007 a. A private signature
Page 91 and 92: 2 Pre-Operational Phase 3 7 1 4 Ope
Page 93 and 94: March, 2007 8.1 Pre-operational Pha
Page 95: 8.1.5.1.1 Distribution of Static Pu
Page 99 and 100: March, 2007 listed in Section 8.1.5
Page 101 and 102: March, 2007 encrypting key or publi
Page 103 and 104: March, 2007 8.1.5.3.5 Intermediate
Page 105 and 106: March, 2007 of keying material and
Page 107 and 108: March, 2007 2. The application in w
Page 109 and 110: March, 2007 and the key derivation
Page 111 and 112: March, 2007 Type of Key Archive? Re
Page 113 and 114: March, 2007 All records of the enti
Page 115 and 116: March, 2007 other cryptographic inf
Page 117 and 118: March, 2007 access to information e
Page 119 and 120: March, 2007 1. Private key used to
Page 121 and 122: March, 2007 10.2 Content of the Key
Page 123 and 124: March, 2007 Management Specificatio
Page 125 and 126: March, 2007 is the same value as th
Page 127 and 128: March, 2007 If the decision is made
Page 129 and 130: March, 2007 only, and then shall be
Page 131 and 132: March, 2007 may be stored in backup
Page 133 and 134: March, 2007 and the method of key r
Page 135 and 136: March, 2007 ephemeral key pairs, an
Page 137 and 138: B.3.14.7 Key Control Information Ma
Page 139 and 140: March, 2007 to be saved. Keys for t
Page 141 and 142: [HAC] Handbook of Applied Cryptogra
Page 143: March, 2007 the owner by the CA tha
show all

Part 1: General - Computer Security Resource Center - National ...

Create successful ePaper yourself

Delete template?

Save as template?