NIST guidance on more secure crypto key generation
- By William Jackson
- Nov 14, 2008
A secret symmetric encryption key shared by multiple parties can be used to generate additional keys for other purposes, such as message authentication codes or to allow a trusted party to create separate keys from a single master key. But an improperly defined key derivation method can crate keys that are vulnerable to attacks.
The National Institute of Standards and Technology has published guidance on ensuring that such keys are created securely.
NIST Special Publication 800-108
, titled 'Recommendation for Key Derivation Using Pseudorandom Functions,' gives several families of key derivation functions that use pseudorandom functions. It specifies techniques for the derivation of additional keying material from a secret cryptographic key using these mathematical functions, which can be established either through a key establishment scheme or shared some other manner.
NIST also is seeking comments on Draft SP 800-102
, 'Recommendation for Digital Signature Timeliness.' This recommendation provides methods for obtaining assurance about the time that a message was digitally signed. The concepts in it were presented in the original public comment draft of Federal Information Processing Standard 186-3, but were moved to a separate publication. A second draft of FIPS 186-3 also has been released for comment.
'Recommendations for Key Derivation' explains how additional cryptographic keys can be generated safely. A draft version was released for public comment earlier this year, and the recommendations now have been finalized.
'Separate keys may be needed for different cryptographic purposes ' for example, one key may be required for an encryption algorithm, while another key is intended for use by an integrity protection algorithm, such as a message authentication code,' NIST explains in the document. 'At other times, the distinct keys required by multiple entities may be generated by a trusted party from a single master key. Key derivation functions are used to derive such keys.'
But, 'an improperly defined key derivation function can make the derived keying material vulnerable to attacks.'
SP 800-108 specifies several families of key derivation functions, and a pseudorandom function is the basic building block in constructing a key derivation function. Key derivation functions can be used to derive additional keys from a key that has been established through an automated key-establishment scheme or from a pre-shared key, such as one that has been manually distributed.
Draft SP 800-102 addresses the issue of being able to trust a digital signature that has used to validate a document, by being able to verify the time it was signed. It involves digital signatures within digital signatures.
'Establishing the time when a digital signature was generated is often a critical consideration,' the document says. 'A digital signature is an electronic analogue of a written signature; the digital signature can be used to provide assurance that the claimed signatory signed the information. In addition, a digital signature may be used to detect whether or not the information was modified after it was signed.'
But a signature without a trusted time source does not provide this assurance. 'With the appropriate use of time stamps from a Trusted Timestamp Authority (TTA) and/or verifier-supplied data, the signatory can provide some level of assurance about the time that the message was signed.'
The document defines a trusted time stamp authority as 'an entity that is trusted to produce time stamp packets. A time stamp packet (TSP) is transmitted by a TTA and contains a digital signature that is generated using the TTA's private key, and the time-stamped data upon which the digital signature is generated.' The time-stamped data includes an 'accurate, unambiguous representation of the time of generation of the accompanying time stamp signature.'
Comments on Draft SP 800-102 should be sent by Dec. 19 to email@example.com
, with 'Comments on SP 800-102' entered into the e-mail's subject line.
William Jackson is a Maryland-based freelance writer.