NIST upgrades guidelines for cryptographic key management
Cryptographic tools can provide strong protection for sensitive data, but creating and sharing the secret keying material that makes them work can be a security challenge in its own right. In an effort to make it easier, the National Institute of Standards and Technology has released new guidelines for managing cryptographic keys in security applications used by agencies.
The new guidelines are the latest addition to Special Publication 800-57, Recommendations for Key Management. Part 3 of SP 800-57, titled Application-Specific Key Management Guidance, addresses the management issues in currently available cryptographic mechanisms. Part 1 of SP 800-57 provides general guidance and best practices for the management of cryptographic keying material. Part 2 provides guidance on policy and security planning requirements for agencies.
NIST designed the document for system installers, system administrators, end users of existing key management infrastructures, protocols, and other applications, and the people making purchasing decisions for new systems, according to the agnecy.
The publication gives recommendations for several specific applications:
- Public-key infrastructures (PKI)
- Internet Protocol Security (IPsec)
- Transport Layer Security (TLS)
- Secure/Multipurpose Internet Mail Extensions (S/MIME)
- Over-the-Air Rekeying of Digital Radios (OTAR)
- Domain Name System Security Extensions (DNSSEC)
- Encrypted File Systems (EFS)
NIST plans to release future versions of the document updated to include Secure Shell, IEEE 802.1x Port Based Network Access Control, Physical Access Control Systems (PACS) and other areas as new techniques are widely implemented.
For each application area covered, the guidelines give a brief description of the system, recommended algorithm suites and key sizes, and associated security and compliance issues, and recommendations concerning specific ways to use the mechanism to protect government information.