Blog - Cryptomathic

A summary of the revised NIST standards for Key Management

Written by Maria Stokes (guest) | 07. April 2017

Cryptography is the foundation of protecting electronic data and cyber security. Encryption can effectively prevent breaches while also protecting both consumer privacy and sensitive data.In recent years private corporations such as Target and Federal government agencies such as the United States Federal Bureau of Investigations have experienced breaches resulting in lost or stolen data.

With effective cryptographic key management, data that is encrypted can still be protected even in the event of a breach, since encrypted data cannot be decrypted without the right keys. Proper usage of encryption and key management will assist an organizations efforts to protect their data. The National Institute of Standards and Technologys (NIST) SP 800­57 “Recommendations for Key Management” (Part 1, Revision 4) provides an updated guideline for general cryptographic key management. Since its original version published in 2005, SP 800­57 has been through a number of revisions in 2006, 2007, 2011, and 2015.

The NIST SP 800­57 standard emphasizes how critical key management is. To be effective, encryption requires confidential and strong keys to protect against breaches. Data protected by cryptography is dependent upon the strength of the keys along with the mechanisms and protocols used in association with those keys. Secret and private keys must be held securely without unauthorized disclosure and protected from modifications. During their entire life cycle, keys must be managed with proper procedures and protocols to ensure they are not compromised. From the moment of their generation and throughout distribution, storage, entry, use, destruction and archival, keys must be handled with established protocols. Effective key management helps to provide a strong and secure foundation “for generation, storage, distribution, use and destruction of keys.” (NIST SP 800­57)

In 2015, SP 800­57 was revised with several updates. Just some of the areas that received updates include Digital Signatures, Key Derivation, and Key Transport. The latest version also contains new cryptographic standards such as SP 800­152, FIPS 180, and FIPS 202.

NIST revised the standard to better align with requirements needed to meet the Federal Information Processing Standard (FIPS). NIST now uses firmer language, replacing “should” with “shall.” Algorithm and key size is now included in security­strength along with recommendations for approved asymmetric and symmetric algorithms taking into account the size of keys being used. NIST goes on to revise the standard for digital signature generation with SHA­1 no longer being approved for hashing algorithms, updating to SHA­3. (NIST SP 800­57)

Integrity and confidentiality protection measures are more aligned with SP 800­152 “A Profile for U.S. Federal Cryptographic Key Management Systems.” The key lifecycle was updated to included a “suspended state” where a key being used is either suspended or a digital signature owner is not available. Another change is the removal of the “key update” process, which also aligns with SP 800­152.

SP 800­152 was based on SP 800­130 “A Framework for Designing Cryptographic and Key Management Systems.” The publication covers topics of consideration and documentation requirements when designing a CKMS. The standard includes requirements for policy, procedure, and all components including hardware, software, and firmware.

These revisions provide the necessary updates to improve a standard for cryptographic key managers. The standard can assist and provide a guideline of best practices for both developers and system administrators. With effective adherence to the guideline organizations can increase their level of cybersecurity and continue to effectively mitigate risks associated with protecting sensitive data.

References and Further Reading

 

Image: Data Breach, courtesy of Blogtrepreneur, Flickr (CC BY 2.0)