NIST offers guidelines for generating crypto keys for sensitive info
- By William Jackson
- Aug 10, 2011
The National Institute of Standards and Technology has released draft guidance on creating secure keys to be used with the cryptographic algorithms and products agencies must use when securing sensitive data.
The cryptographic algorithm is a mathematical function for scrambling data so that it cannot be read, using a key or pair of keys to ensure that it can be decrypted only by the intended party. NIST has developed a variety of standards and guidelines for algorithms for managing cryptographic keys. Draft Special Publication 800-133, Recommendation for Cryptographic Key Generation, deals with the generation of the keys.
The publication addresses symmetric keys, in which the same secret key is used to both encrypt and decrypt data, as well as asymmetric or public key schemes, in which separate public and private keys are used for each function.
NIST laying the groundwork for more advanced cryptography
Crypto rules changing for ID cards
Most key generation will require the use of a Random Bit Generator to produce strings of statistically unrelated bits. Keys can either be created directly by the generator, or the random bits can be used as seed material to create the key using an approved formula.
Symmetric keys also can be generated from passwords, although the publication calls this a questionable practice because passwords typically are not very random and the resulting key is not very secure. However, NIST does provide approved methods for deriving keys from passwords for storage applications in SP 800-132 released last December.
Keys for both symmetric and asymmetric key algorithms must be generated and used in approved Federal Information Processing Standard (FIPS) 140-compliant cryptographic modules. The modules can be used either to generate keys directly or to provide seed material for generation. Advanced Encryption Standard and Digital Signature Algorithm are examples of private keys that can be generated directly. An RSA key is generated from seed, which is used to find a prime number that meets FIPS criteria.
Comments on draft SP 800-133 should be sent by Sept. 30 to SP-800-133_Comments@nist.gov
with “Comments on SP 800-133 Key Generation” in the subject line.
William Jackson is a Maryland-based freelance writer.