The key to crypto? It's in the key
- By William Jackson
- Nov 28, 2012
The Federal Information Processing Standards specify cryptographic algorithms approved for government use, but any cryptographic scheme is only as secure as the keys used to encrypt and decrypt information.
The National Institute of Standards and Technology has issued guidance on generating keys to be used with approved algorithms. Special Publication 800-133, Recommendation for Cryptographic Key Generation, spells out methods for creating both symmetric keys, in which the same secret key is used to both encrypt and decrypt data, and asymmetric or public-key schemes, in which separate public and private keys are used for each function.
Most key generation requires the use of a random bit generator to produce strings of statistically unrelated bits. Keys can either be created directly by the generator or the random bits can be used as seed material to create the key using an approved formula. Symmetric keys also can be generated from passwords, although NIST calls this a questionable practice because passwords typically are not very random and the resulting key is not very secure.
NIST does provide approved methods for deriving keys from passwords for storage applications in SP 800-132, released in 2010.
Keys for both symmetric and asymmetric key algorithms must be generated and used within approved FIPS 140-compliant cryptographic modules. The modules can be used either to generate keys directly or to provide seed material for generation. Advanced Encryption Standard (AES) and Digital Signature Algorithm (DSA) are examples of private keys that can be generated directly. An RSA key is generated from seed, which is used to find a prime number that meets FIPS criteria.
The publication is part of a series of recommendations on the management of cryptographic keys, including Special Publication 800-57, in three parts (one, two and three); SP 800-130, a draft Framework for Designing Cryptographic Key Management Systems; and SP 800-152, a draft Profile for U.S. Federal Cryptographic Key Management Systems.
William Jackson is freelance writer and the author of the CyberEye blog.