NIST offers guidelines for generating crypto keys for sensitive info

The National Institute of Standards and Technology has released draft guidance on creating secure keys to be used with the cryptographic algorithms and products agencies must use when securing sensitive data.

The cryptographic algorithm is a mathematical function for scrambling data so that it cannot be read, using a key or pair of keys to ensure that it can be decrypted only by the intended party. NIST has developed a variety of standards and guidelines for algorithms for managing cryptographic keys. Draft Special Publication 800-133, Recommendation for Cryptographic Key Generation, deals with the generation of the keys.

The publication addresses symmetric keys, in which the same secret key is used to both encrypt and decrypt data, as well as asymmetric or public key schemes, in which separate public and private keys are used for each function.

Related coverage:

NIST laying the groundwork for more advanced cryptography

Crypto rules changing for ID cards

Most key generation will require the use of a Random Bit Generator to produce strings of statistically unrelated bits. Keys can either be created directly by the generator, or the random bits can be used as seed material to create the key using an approved formula.

Symmetric keys also can be generated from passwords, although the publication calls this a questionable practice because passwords typically are not very random and the resulting key is not very secure. However, NIST does provide approved methods for deriving keys from passwords for storage applications in SP 800-132 released last December.

Keys for both symmetric and asymmetric key algorithms must be generated and used in approved Federal Information Processing Standard (FIPS) 140-compliant cryptographic modules. The modules can be used either to generate keys directly or to provide seed material for generation. Advanced Encryption Standard and Digital Signature Algorithm are examples of private keys that can be generated directly. An RSA key is generated from seed, which is used to find a prime number that meets FIPS criteria.

Comments on draft SP 800-133 should be sent by Sept. 30 to [email protected] with “Comments on SP 800-133 Key Generation” in the subject line.

About the Author

William Jackson is a Maryland-based freelance writer.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected