Key Management: General 32 6. Other secret information: Secret information may be included in the seeding of an RBG or in the establishment of keying material. 7. Intermediate Results: The intermediate results of cryptographic operations using secret information must be protected. Intermediate results shall not be available for purposes other than as intended. 8. Key-control information: Information related to the keying material e.g., the identifier, purpose, or a counter must be protected to ensure that the associated keying material can be correctly used. The key-control information is included in the metadata associated with the key see Section 6.2.3.1 .

9. Random numbers or bits: The random numbers created by a random bit generator should

be protected when retained. When used directly as keying material or in its generation, the random bits shall be protected as discussed in Section 6 . 10. Passwords: A password is used to acquire access to privileges and can be used as a credential in a source-authentication mechanism. A password can also be used to derive cryptographic keys that are used to protect and access data in storage, as specified in [SP800-132] . 11. Audit information: Audit information contains a record of key-management events.

5.2 Key Usage

In general, a single key shall be used for only one purpose e.g., encryption, integrity authentication, key wrapping, random bit generation, or digital signatures. There are several reasons for this: 1. The use of the same key for two different cryptographic processes may weaken the security provided by one or both of the processes. 2. Limiting the use of a key limits the damage that could be done if the key is compromised. 3. Some uses of keys interfere with each other. For example, consider a key pair used for both key transport and digital signatures. In this case, the private key is used as both a private key-transport key to decrypt the encrypted keys and as a private signature key to apply digital signatures. It may be necessary to retain the private key-transport key beyond the cryptoperiod of the corresponding public key-transport key in order to decrypt the encrypted keys needed to access encrypted data. On the other hand, the private signature key shall be destroyed at the expiration of its cryptoperiod to prevent its compromise see Section 5.3.6 . In this example, the longevity requirements for the private key-transport key and the private digital-signature key contradict each other. This principle does not preclude using a single key in cases where the same process can provide multiple services. This is the case, for example, when a digital signature provides integrity authentication and source authentication using a single digital signature, or when a single symmetric key can be used to encrypt and authenticate data in a single cryptographic operation e.g., using an authenticated-encryption operation, as opposed to separate encryption and authentication operations. Also, refer to Section 3.7 . Key Management: General 33 This Recommendation permits the use of a private key-transport or key-agreement key to generate a digital signature for the following special case: When requesting the initial certificate for a static key-establishment key, the corresponding private key may be used to sign the certificate request. Also refer to Section 8.1.5.1.1.2 .

5.3 Cryptoperiods