Key Types and Crypto-Periods: NIST Key Management Recommendations

This article introduces and classifies cryptographic key types and crypto-periods as suggested by NIST, based on proven best practices for key management. It outlines the recommendations of when and how keys are used to protect data and explains how appropriate crypto-periods can be chosen and enforced.

Key Types

At the highest level, there are two primary types of cryptographic keys: symmetric and asymmetric. The latter comes in mathematically-related pairs consisting of a private key and a public key. The security of cryptographic applications crucially depends on symmetric keys and private keys always being kept secret. Public keys - as their name implies - are not secret.

Going a little deeper, NIST (National Institute of Standards and Technology) suggests to classify keys as private, public or symmetric keys and how they are used. The list below outlines the NIST classification of keys based on their type and usage:

• Private signature key. These keys are the private / security sensitive component of asymmetric key pairs, where the private signature key is used to generate digital signatures, which could have long-term implications. When used correctly, digital signatures provide integrity authentication, source authentication and support for non-repudiation of documents, messages and stored data.
• Public signature-verification key. As the public “part” of an asymmetric key pair, the public signature-verification key is used by a public-key algorithm for verifying digital signatures.
• Symmetric authentication key. These keys are used with symmetric-key algorithms to provide integrity authentication and source authentication for messages, documents, stored data and communication sessions. A single key is used for authentication and encryption for authenticated-encrypted modes of operation.
• Private authentication key. This is the private key part of an asymmetric key pair that is used along with a public-key algorithm to provide assurance of identity when authenticating a communication session.
• Public authentication key. This key is the public key of an asymmetric key pair, used to provide assurance of an originating entity’s identity when establishing an authenticated communication session.
• Symmetric data-encryption key. This key is used to protect the confidentiality of data through symmetric encryption. The same key is also used to decrypt.
• Symmetric key wrapping key. Known also as a key-encrypting key(KEK), these keys are used in encrypting other keys.
• Symmetric random number generation keys. This type of key is used in generating random numbers or bits.
• Symmetric master key. Also known as a key-derivation key, this key is used to derive other symmetric keys.
• Private key-transport key. This key is the private half of an asymmetric key pair that is used to decrypt keys that have been encrypted by a corresponding public key. 
• Public key-transport key. This key is the public half of an asymmetric key pair used for encrypting keys with a public-key algorithm. As the name suggests, these keys are used to protect other keys when being transported across networks.
• Symmetric key-agreement key. This key is used to establish keys with a symmetric key-agreement algorithm.
• Private static key-agreement key. This key is the long-term private key in an asymmetric key pair that is used to establish keys and, sometimes, other keying material.
• Public static key-agreement key. This key is the long-term public key in an asymmetric key pair that is used in establishing keys and, often other keying material.
• Private ephemeral key-agreement key. This key is a short-term private key of an asymmetric key pair that is used only once to establish one or more keys.
• Public ephemeral key-agreement key. This key is the short-term public key of an asymmetric key pair that is used only once to establish one or more keys.
• Symmetric authorization key. This key provides privileges to an entity who is using a symmetric cryptographic method. The authorization key is known by the entity who monitors and grants access privileges.
• Private authorization key. This is the private key of an asymmetric key pair that is used to assign privileges to an entity.
• Public authorization key. This is the public key of an asymmetric key pair that verifies privileges of an entity that knows the associated private authorization key.

Regardless of classification, a single key should only be used for one purpose, whether it is for encryption, authentication, digital signatures, key wrapping or random bit generation. This is because using a key for two different cryptographic processes could weaken the security provided by the processes.

Furthermore, not all keys work well together and could contradict one another. By restricting usage of a single key to only its single intended purpose can limit damage if the key were to be compromised.

Crypto-Periods

A crypto-period is the length of time in which a specific key is authorized for use. A properly defined crypto-period should limit:

• The available amount of information that is protected by its key for cryptanalysis
• The amount of exposure if a single key were to be compromised
• The use of a particular algorithm
• The time available for attempts to penetrate mechanisms that protect the key from unauthorized disclosure
• The period in which information could be compromised inadvertently through disclosure of key material to unauthorized entities
• The time available for intensive computational cryptanalytic attacks

There are also certain risk factors that affect the length of a crypto-period, such as the:

• Strength of the cryptographic mechanisms
• Embodiment of the mechanisms
• Operating environment
• Number of transactions or volume of information flow
• Security life of data
• Security function
• Re-keying method
• Key update
• Number of key copies and distribution of the copies
• Number of network nodes sharing a common key
• Personnel turnover
• Level of threat from adversaries to the information
• Threat from new or disruptive technologies to the information

Shorter crypto-periods can enhance security and can make cryptographic algorithms less susceptible to cryptanalysis, according to NIST key management recommendations. In general, the more a key is used, the more susceptible it is to attack and the more data is at risk should it be revealed, so it is important to ensure keys are replaced when required (this process is called updating or cycling).

NIST recommends for most crypto-periods a life span of around one to two years. The length of a crypto-period depends on the type of key, the environment in which it is used and the characteristics of the data being protected. In some cases, a recommended crypto-period might be longer, such as between one to three years with private signature keys or it could be limited to single communication, as might be the case with a symmetric data-encryption key.

The Need to Manage the Lifecycle of Keys

The NIST framework provides useful guidelines for developing a crypto key management policy in order to protect your data. Depending on the data being protected, some industry standards (e.g. PCI DSS) will apply to the secure management of keys and may also have clearly defined crypto-periods that you must comply with. In order to achieve compliance with such standards or regulations, the important part is to be able to show evidence that you always enforce the crypto-periods of the keys as stated in your key management policy.

Both symmetric and asymmetric keys will have various properties such as length and crypto-period that depend on their intended function. Regardless of their properties and intended functions, all keys should be properly managed throughout their life, using an appropriate crypto key management system, to avoid the risk of misuse (e.g. using a key for the wrong purpose or for two different purposes) or compromise.

References and further reading

•  NIST SP800-57 Part 1 Revision 4: A Recommendation for Key Management (2016) by Elaine Barker

• NIST SP800-130: A Framework for Designing Cryptographic Key Management Systems (2013) by Elaine Barker, Miles Smid, Dennis Branstad, and Santosh Chokhani
• Selected articles on Key Management (2012-today) by Ashiq JA, Dawn M. Turner, Guillaume Forget, James H. Reinholm, Martin Eriksen, Peter Landrock, Peter Smirnoff, Stefan Hansen and more
• Selected articles on HSMs (2013-today), by Ashiq JA, Peter Landrock, Peter Smirnoff, Steve Marshall, Torben Pedersen and more