NIST offers guidelines for generating crypto keys for sensitive info

The National Institute of Standards and Technology has released draft guidance on creating secure keys to be used with the cryptographic algorithms and products agencies must use when securing sensitive data.

The cryptographic algorithm is a mathematical function for scrambling data so that it cannot be read, using a key or pair of keys to ensure that it can be decrypted only by the intended party. NIST has developed a variety of standards and guidelines for algorithms for managing cryptographic keys. Draft Special Publication 800-133, Recommendation for Cryptographic Key Generation, deals with the generation of the keys.

The publication addresses symmetric keys, in which the same secret key is used to both encrypt and decrypt data, as well as asymmetric or public key schemes, in which separate public and private keys are used for each function.

Related coverage:

NIST laying the groundwork for more advanced cryptography

Crypto rules changing for ID cards

Most key generation will require the use of a Random Bit Generator to produce strings of statistically unrelated bits. Keys can either be created directly by the generator, or the random bits can be used as seed material to create the key using an approved formula.

Symmetric keys also can be generated from passwords, although the publication calls this a questionable practice because passwords typically are not very random and the resulting key is not very secure. However, NIST does provide approved methods for deriving keys from passwords for storage applications in SP 800-132 released last December.

Keys for both symmetric and asymmetric key algorithms must be generated and used in approved Federal Information Processing Standard (FIPS) 140-compliant cryptographic modules. The modules can be used either to generate keys directly or to provide seed material for generation. Advanced Encryption Standard and Digital Signature Algorithm are examples of private keys that can be generated directly. An RSA key is generated from seed, which is used to find a prime number that meets FIPS criteria.

Comments on draft SP 800-133 should be sent by Sept. 30 to [email protected] with “Comments on SP 800-133 Key Generation” in the subject line.

About the Author

William Jackson is a Maryland-based freelance writer.


  • senior center (vuqarali/

    Bmore Responsive: Home-grown emergency response coordination 

    Working with the local Code for America brigade, Baltimore’s Health Department built a new contact management system that saves hundreds of hours when checking in on senior care centers during emergencies.

  • man checking phone in the dark (Maridav/

    AI-based ‘listening’ helps VA monitor vets’ mental health

    To better monitor veterans’ mental health, especially during the pandemic, the Department of Veterans Affairs is relying on data and artificial intelligence-based analytics.

Stay Connected