Key Management: General 16 User registration A function in the lifecycle of keying material; a process whereby an entity becomes a member of a security domain. X.509 certificate The X.509 public-key certificate or the X.509 attribute certificate, as defined by the ISOITU-T X.509 standard. Most commonly including in this document, an X.509 certificate refers to the X.509 public-key certificate. X.509 public-key certificate A digital certificate containing a public key for an entity and a name for that entity, together with some other information that is rendered un-forgeable by the digital signature of the certification authority that issued the certificate, encoded in the format defined in the ISOITU-T X.509 standard.

2.2 Acronyms

The following abbreviations and acronyms are used in this Recommendation: 2TDEA Two-key Triple Data Encryption Algorithm specified in [SP800-67] . 3TDEA Three-key Triple Data Encryption Algorithm specified in [SP800-67] . AES Advanced Encryption Standard specified in [FIPS197] . ANS American National Standard. ANSI American National Standards Institute. CA Certification Authority. CRC Cyclic Redundancy Check. CRL Certificate Revocation List. DRBG Deterministic Random Bit Generator. DSA Digital Signature Algorithm specified in [FIPS186] . ECC Elliptic Curve Cryptography. ECDSA Elliptic Curve Digital Signature Algorithm specified in [ANSX9.62] and approved in [FIPS186] . FFC Finite Field Cryptography. FIPS Federal Information Processing Standard. HMAC Keyed-Hash Message Authentication Code specified in [FIPS198] . IFC Integer Factorization Cryptography. IV Initialization Vector. MAC Message Authentication Code. NIST National Institute of Standards and Technology. PKI Public-Key Infrastructure. Key Management: General 17 POP Proof of Possession. RA Registration Authority. RBG Random Bit Generator. RNG Random Number Generator. RSA Rivest, Shamir, Adelman; an algorithm approved in [FIPS186] for digital signatures and in [SP800-56B] for key establishment. SMIME Secure Multipurpose Internet Mail Extensions. TDEA Triple Data Encryption Algorithm; Triple DEA specified in [SP800-67] . TLS Transport Layer Security Key Management: General 18 3 Security Services Cryptography may be used to perform or support several basic security services: confidentiality, integrity authentication, source authentication, authorization and non- repudiation. These services may also be required to protect cryptographic keying material. In addition, there are other cryptographic and non-cryptographic mechanisms that are used to support these security services. In general, a single cryptographic mechanism may provide more than one service e.g., the use of digital signatures can provide integrity authentication, and source authentication, but not all services.

3.1 Confidentiality