NIST: Crypto is the key to protecting large data stores
The National Institute of Standards and Technology has released a revised draft of guidelines for creating a cryptographic key management system, part of a governmentwide program to address one of the thorniest challenges to securing sensitive information.
Special Publication 800-130, “A Framework for Designing Cryptographic Key Management Systems,” describes the components of cryptographic key management systems and specifies requirements for documentation in the system design. It is a product of the Cryptographic Key Management Project, an effort to help agencies in their adoption of more advanced cryptographic algorithms and the management of stronger keys.
“Effectively implemented cryptography can reduce the scope of the information management problem from the need to protect large amounts of information to the need to protect only keys and certain metadata,” the publication says.
If crypto keys aren't protected, they can't protect data
But this also means that the data is only as secure as the cryptographic keys being used. This puts a premium on the secure management of those keys.
The latest document compares cryptography to a safe or vault. The security of the safe or of the cryptography must be at least equal to the value or sensitivity of what is being protected, and the safe’s combination and crypto keys must be as secure as the rest of the system.
“NIST has undertaken an effort to improve the overall key management strategies used by the public and private sectors in order to enhance the usability of cryptographic technology, provide scalability across cryptographic technologies, and support a global cryptographic key management infrastructure,” the agency said. The project has included a series of workshops as well as development of several documents with guidance for key management.
NIST also last year released drafts of SP 800-131, “Recommendations for the Transitioning of Cryptographic Algorithms and Key Sizes,” a suite of documents with guidance for the adoption of stronger crypto keys and more robust algorithms. Another draft document, SP 800-152, which will provide a basic profile of the framework described in SP 800-130, is expected to be released later this year.
The current release of SP 800-130 is a revision of a first draft released for comment in 2010. It is a description of the topics to be considered and the documentation required in designing a key management system.
The framework is intended to be general enough to encompass any well-designed system, but is not intended to be a system design. It provides specification requirements using lists of options that the designers may incorporate.
Comments on SP 800-130 should be sent by July 30 to firstname.lastname@example.org, with “comments on SP 800-130” in the subject line.