NIST: Crypto is the key to protecting large data stores

The National Institute of Standards and Technology has released a revised draft of guidelines for creating a cryptographic key management system, part of a governmentwide program to address one of the thorniest challenges to securing sensitive information.

Special Publication 800-130, “A Framework for Designing Cryptographic Key Management Systems,” describes the components of cryptographic key management systems and specifies requirements for documentation in the system design. It is a product of the Cryptographic Key Management Project, an effort to help agencies in their adoption of more advanced cryptographic algorithms and the management of stronger keys.

“Effectively implemented cryptography can reduce the scope of the information management problem from the need to protect large amounts of information to the need to protect only keys and certain metadata,” the publication says.


Related story:

If crypto keys aren't protected, they can't protect data


But this also means that the data is only as secure as the cryptographic keys being used. This puts a premium on the secure management of those keys.

The latest document compares cryptography to a safe or vault. The security of the safe or of the cryptography must be at least equal to the value or sensitivity of what is being protected, and the safe’s combination and crypto keys must be as secure as the rest of the system.

“NIST has undertaken an effort to improve the overall key management strategies used by the public and private sectors in order to enhance the usability of cryptographic technology, provide scalability across cryptographic technologies, and support a global cryptographic key management infrastructure,” the agency said. The project has included a series of workshops as well as development of several documents with guidance for key management.

NIST also last year released drafts of SP 800-131, “Recommendations for the Transitioning of Cryptographic Algorithms and Key Sizes,” a suite of documents with guidance for the adoption of stronger crypto keys and more robust algorithms. Another draft document, SP 800-152, which will provide a basic profile of the framework described in SP 800-130, is expected to be released later this year.

The current release of SP 800-130 is a revision of a first draft released for comment in 2010. It is a description of the topics to be considered and the documentation required in designing a key management system.

The framework is intended to be general enough to encompass any well-designed system, but is not intended to be a system design. It provides specification requirements using lists of options that the designers may incorporate.

Comments on SP 800-130 should be sent by July 30 to ckmsdesignframework@nist.gov, with “comments on SP 800-130” in the subject line.

 

About the Author

William Jackson is freelance writer and the author of the CyberEye blog.

Reader Comments

Thu, Apr 19, 2012 Todd Thiemann Vormetric

The updated NIST guidelines for cryptographic key management are timely. With large data stores vulnerable to outsider and insider (e.g., Wikileaks) attacks, encrypting the data isn’t enough. Just last December hackers lifted the encryption keys from SpecialForces.com which they used to decrypt stolen passwords and credit card numbers that they then posted online... Without a centralized approach for securing keys, the benefits of data encryption are lost. A new report by analyst firm Enterprise Strategy Group discusses the risks associated with poor encryption key management. http://bit.ly/IbFk20 @Cryptodd @Vormetric

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above