NIST offers guidelines for generating crypto keys for sensitive info

The National Institute of Standards and Technology has released draft guidance on creating secure keys to be used with the cryptographic algorithms and products agencies must use when securing sensitive data.

The cryptographic algorithm is a mathematical function for scrambling data so that it cannot be read, using a key or pair of keys to ensure that it can be decrypted only by the intended party. NIST has developed a variety of standards and guidelines for algorithms for managing cryptographic keys. Draft Special Publication 800-133, Recommendation for Cryptographic Key Generation, deals with the generation of the keys.

The publication addresses symmetric keys, in which the same secret key is used to both encrypt and decrypt data, as well as asymmetric or public key schemes, in which separate public and private keys are used for each function.

Related coverage:

NIST laying the groundwork for more advanced cryptography

Crypto rules changing for ID cards

Most key generation will require the use of a Random Bit Generator to produce strings of statistically unrelated bits. Keys can either be created directly by the generator, or the random bits can be used as seed material to create the key using an approved formula.

Symmetric keys also can be generated from passwords, although the publication calls this a questionable practice because passwords typically are not very random and the resulting key is not very secure. However, NIST does provide approved methods for deriving keys from passwords for storage applications in SP 800-132 released last December.

Keys for both symmetric and asymmetric key algorithms must be generated and used in approved Federal Information Processing Standard (FIPS) 140-compliant cryptographic modules. The modules can be used either to generate keys directly or to provide seed material for generation. Advanced Encryption Standard and Digital Signature Algorithm are examples of private keys that can be generated directly. An RSA key is generated from seed, which is used to find a prime number that meets FIPS criteria.

Comments on draft SP 800-133 should be sent by Sept. 30 to [email protected] with “Comments on SP 800-133 Key Generation” in the subject line.

About the Author

William Jackson is a Maryland-based freelance writer.


  • business meeting (Monkey Business Images/

    Civic tech volunteers help states with legacy systems

    As COVID-19 exposed vulnerabilities in state and local government IT systems, the newly formed U.S. Digital Response stepped in to help. Its successes offer insight into existing barriers and the future of the civic tech movement.

  • data analytics (

    More visible data helps drive DOD decision-making

    CDOs in the Defense Department are opening up their data to take advantage of artificial intelligence and machine learning tools that help surface insights and improve decision-making.

Stay Connected