Key Management: General 69

6.2 Protection Mechanisms

During the lifetime of cryptographic information, the information is either “in transit” e.g., is in the process of being manually distributed or distributed using automated protocols to the authorized communication participants for use by those entities, “at rest” e.g., the information is in storage or “in use.” In all cases, the keying material shall be protected in accordance with Section 6.1 . For keys that are in use, the keys shall reside and be used within appropriate cryptographic modules; note that a key being in use does not preclude that key from also being simultaneously in transit andor in storage. While in transit or in storage, the choice of protection mechanisms may vary. Although several methods of protection are provided in the following subsections, not all methods provide equal security. The method should be carefully selected. In addition, the mechanisms prescribed do not, by themselves, guarantee protection. The implementation and the associated key management need to provide adequate security to prevent any feasible attack from being successful.

6.2.1 Protection Mechanisms for Cryptographic Information in Transit

Cryptographic information in transit may be keying material that is being distributed in order to obtain a cryptographic service e.g., establish a key that will be used to provide confidentiality see Section 8.1.5 , cryptographic information that is being backed up or archived for possible use or recovery in the future see Sections 8.2.2 and 8.3.1 , or is in the process of being recovered see Sections 8.2.2.2 , 8.3.1 and Appendix B . This may be accomplished manually i.e., via a trusted courier, in an automated fashion i.e., using automated communication protocols or by some combination of manual and automated methods. For some protocols, the protections are provided by the protocol; in other cases, the protection of the keying material is provided directly to the keying material e.g., the keying material is encrypted prior to transmission for decryption only by the receiving party. It is the responsibility of the originating entity to apply protection mechanisms, and the responsibility of the recipient to undo or check the mechanisms used.

6.2.1.1 Availability

Since communications may be garbled, intentionally altered, or destroyed, the availability of cryptographic information after transit cannot be assured using cryptographic methods. However, availability can be supported by redundant or multiple channels, store and forward systems deleting by the sender only after confirmation of receipt, error correction codes, and other non-cryptographic mechanisms. Communication systems should incorporate non-cryptographic mechanisms to ensure the availability of transmitted cryptographic information after it has been successfully received, rather than relying on retransmission by the original sender for future availability

6.2.1.2 Integrity

Integrity protection involves both the prevention and detection of modifications to information. When modifications are detected, measures may be taken to restore the information to its unaltered form. Cryptographic mechanisms are often used to detect unauthorized Key Management: General 70 modifications. The integrity of cryptographic information during transit shall be protected using one or more of the following mechanisms: 1. Manual method physical protection is provided: a An integrity mechanism e.g., a CRC, MAC or digital signature is used on the information, and the resulting code is provided to the recipient for subsequent verification. Note: A CRC may be used instead of a MAC or digital signature, since the physical protection is only intended to protect against intentional modifications. -OR- b The keying material is used to perform the intended cryptographic operation. If the received information does not conform to the expected format, or the data is inconsistent in the context of the application, then the keying material may have been corrupted. 2. Automated distribution via communication protocols provided by the user or by the communication protocol: a An approved cryptographic integrity mechanism e.g., a MAC or digital signature is used on the information, and the resulting code is provided to the recipient for subsequent verification. Note that a CRC is not approved for this purpose. The integrity mechanism may be applied only to the cryptographic information, or may be applied to an entire message. -OR- b The keying material is used to perform the intended cryptographic operation. If the use of the keying material produces incorrect results, or the data is inconsistent in the context of the application, then the received keying material may have been corrupted. The response to the detection of an integrity failure will vary, depending on the specific environment. Improper error handling can allow attacks e.g., side channel attacks. A security policy see [ SP800-57, Part 2 ] should define the response to such an event. For example, if an error is detected in the received information, and the receiver requires that the information is entirely correct e.g., the receiver cannot proceed when the information is in error, then: a. The information should not be used, b. The recipient may request that the information be resent retransmissions should be limited to a predetermined maximum number of times, and

c. Information related to the incident should be stored in an audit log to later identify the