NIST on crypto keys, in IT life cycle security
- By William Jackson
- Oct 27, 2008
The National Institute of Standards and Technology has released
a draft version of guidelines for managing cryptographic keys and a
final version of guidance for managing security in the information
technology system life cycle.
NIST released a draft of Special Publication 800-57, titled
'Recommendation for Key Management Part 3:
Application-Specific Key Management Guidance' for public
comment. The publication's first two parts provide guidance
and best practices for managing cryptographic keying material and
policy and security planning requirements. Part 3 focuses on using
systems' cryptographic features.
The publication incorporates some technical information
previously included in Federal Information Processing Standard 180
for secure hash algorithms. The most recent version of that
standard ' FIPS 180-3 ' removed some of that
information because officials could more quickly update it in SP
Part 3 is intended primarily to help systems administrators and
installers secure applications using advice based on product
availability and organizational needs. It also supports decisions
about future procurements and includes information for users on the
options they can control during their normal use of applications.
The publication has recommendations for the following applications
- Public-key infrastructures.
- IP Security.
- Transport Layer Security.
- Secure Multipurpose Internet Mail Extensions.
- Over-the-air rekeying of digital radios.
- Domain Name System Security Extensions.
- Encrypting File System.
- Secure Shell.
- 802.1X Port-Based Network Access Control.
For each topic, the guidance provides:
- A brief description of the system.
- Recommended algorithm suites and key sizes and associated
security and compliance issues.
- Recommendations on using the mechanism in its current form to
protect government information.
- Security considerations that could alter the effectiveness of
- General recommendations for those making the buying decisions,
systems installers, systems administrators and end users.
Comments should be e-mailed by Jan. 16, 2009, to firstname.lastname@example.org with
'Comments on Draft 800-57, Part 3' in the subject line.
NIST released the second revision of SP 800-64, titled 'Security
Considerations in the System Development Life Cycle' in its
final version. That publication is intended to help agencies
integrate essential IT security steps into established system
development life cycles (SDLCs). It applies to all federal IT
systems except those related to national security.
'To be most effective, information security must be
integrated into the SDLC from system inception,' the
publication states. 'Early integration of security in the
SDLC enables agencies to maximize return on investment in their
security programs through:
- Early identification and mitigation of security vulnerabilities
and misconfigurations, resulting in lower cost of security control
implementation and vulnerability mitigation.
- Awareness of potential engineering challenges caused by
mandatory security controls.
- Identification of shared security services and reuse of
security strategies and tools to reduce development cost and
schedule while improving security posture through proven methods
- Facilitation of informed executive decision-making through
comprehensive risk management in a timely manner.'
The guide provides descriptions of the key security roles and
responsibilities for most information system developments and
includes information about SDLC to help a person who is unfamiliar
with the process understand its relationship to information
'The five-step SDLC cited in this document is an example
of one method of development and is not intended to mandate this
methodology,' the guidance states.
SP 800-64 provides insight into IT projects and initiatives that
are not as clearly defined as SDLC-based developments, including
service-oriented architectures, cross-organization projects and IT
NIST also released a final revision of SP 800-66, titled 'An Introductory
Resource Guide for Implementing the Health Insurance Portability
and Accountability Act (HIPAA) Security Rule.' That
publication seeks to increase understanding of the security terms
and standards used in the HIPAA Security Rule. It also directs
readers to information in other NIST publications on topics the
rule addresses. The publication does not replace the HIPAA Security
William Jackson is a Maryland-based freelance writer.