Key Management: General 46 Key Type Crytoperiod Originator-Usage Period OUP Recipient-Usage Period 17. Symmetric Authorization Key 2 years 18. Private Authorization Key 2 years 19. Public Authorization Key 2 years

5.3.7 Recommendations for Other Cryptographic or Related Information

Information other than keys does not have well-established cryptoperiods, per se. The following recommendations are offered regarding the disposition of this other keying material: 1. Domain parameters remain in effect until changed. 2. An IV is associated with the information that it helps to protect, and is needed until the information in its cryptographically protected form is no longer needed.

3. Shared secrets generated during the execution of key-agreement schemes shall be

destroyed as soon as they are no longer needed to derive keying material. 4. RBG seeds shall be destroyed immediately after use. 5. Other public information should not be retained longer than needed for cryptographic processing. 6. Other secret information shall not be retained longer than necessary. 7. Intermediate results shall be destroyed immediately after use.

5.4 Assurances

When cryptographic keys and domain parameters are stored or distributed, they may pass through unprotected environments. In this case, specific assurances are required before the key or domain parameters may be used to perform normal cryptographic operations.

5.4.1 Assurance of Integrity Integrity Protection

Assurance of integrity shall be obtained prior to using all keying material. At a minimum, assurance of integrity shall be obtained by verifying that the keying material has the appropriate format and came from an authorized source. Additional assurance of integrity may be obtained by the proper use of error detection codes, message authentication codes, and digital signatures.

5.4.2 Assurance of Domain Parameter Validity

Domain parameters are used by discrete log public-key algorithms during the generation of key pairs and digital signatures, and during the generation of shared secrets during the execution of a key-agreement scheme that are subsequently used to derive keying material. Assurance of the validity of the domain parameters is important to applications of public-key cryptography and shall be obtained prior to using them. Key Management: General 47 Invalid domain parameters could void all intended security for all entities using the domain parameters. Methods for obtaining assurance of domain-parameter validity for the DSA and ECDSA digital signature algorithms are provided in [SP800-89] . Methods for obtaining assurance of domain-parameter validity for finite-field and elliptic-curve discrete-log key- agreement algorithms are provided in [SP800-56A] . Note that if a public key is certified by a CA for these algorithms, the CA could obtain this assurance during the certification process. Otherwise, the key-pair owner and any relying parties are responsible for obtaining the assurance.

5.4.3 Assurance of Public-Key Validity

Assurance of public-key validity shall be obtained on all public keys before using them. Assurance of public-key validity gives the user confidence that the public key is arithmetically correct. This reduces the probability of using weak or corrupted keys. Invalid public keys could result in voiding the intended security, including the security of the operation i.e., digital signature, key establishment, or encryption, leaking some or all information from the owners private key, and leaking some or all information about a private key that is combined with an invalid public key as may be done when key agreement or public-key encryption is performed. One of several ways to obtain assurance of validity is for an entity to verify certain mathematical properties that the public key should have. Another way is to obtain the assurance from a trusted third party e.g., a CA that the trusted party validated the properties. Methods of obtaining assurance of public-key validity for the DSA, ECDSA and RSA digital signature algorithms are provided in [SP800-89] . Methods for obtaining this assurance for the finite-field and elliptic-curve discrete-log key-establishment schemes are provided in [SP800- 56A] . Methods for obtaining assurance of partial public-key validity for the RSA key- establishment schemes are provided in [SP800-56B] . 5.4.4 Assurance of Private-Key Possession Assurance of static i.e., long-term private-key possession shall be obtained before the use of the corresponding static public key. Assurance of validity shall always be obtained prior to, or concurrently with, assurance of possession. Assurance of private-key possession shall be obtained by both the owner of the key pair and by other entities that receive the public key of that key pair and use it to interact with the owner. For specific details regarding assurance of the possession of private key-establishment keys, see [SP800-56A] and [SP800-56B] ; for specific details regarding assurance of the possession of private digital-signature keys, see [SP800-89] . Note that for public keys that are certified by a CA, the CA could obtain this assurance during the certification process. Otherwise, the owner and relying parties are responsible for obtaining the assurance.

5.5 Compromise of Keys and other Keying Material