Key Management: General
84
8 Key-Management Phases and Functions
The cryptographic key-management lifecycle can be divided into four phases. During each phase, the keys are in certain specific key states as discussed in
Section 7 . In addition, within
each phase, certain key-management functions are typically performed. These functions are necessary for the management of the keys and their associated metadata.
Key-management information is called metadata. The metadata required for key management might include the identity of a person or system associated with that key or the types of
information that person is authorized to access. Metadata is used by applications to select the appropriate cryptographic keys for a particular service. While the metadata does not appear in
cryptographic algorithms, it is crucial to the implementation of applications and application protocols.
The four phases of key management are:
1. Pre-operational phase: The keying material is not yet available for normal
cryptographic operations. Keys may not yet be generated, or are in the pre-activation state. System or enterprise attributes are
established during this phase, as well.
2. Operational phase: The keying material
is available and in normal use. Keys are in the active or suspended state. Keys in
the active state may be designated as protect only, process only, or protect and
process; keys in the suspended state can be used for processing only.
3. Post-operational phase: The keying
material is no longer in normal use, but access to the keying material is possible,
and the keying material may be used for processing. Keys are in the deactivated or
compromised states. Keys in the post- operational phase may be in an archive
see
Section 8.3.1 when not processing
data.
4. Destroyed phase: Keys are no longer
available. Records of their existence may or may not have been deleted. Keys are in
the destroyed states. Although the keys themselves are destroyed, the key
metadata
e.g., key name, type, cryptoperiod, and usage period may be
retained see Section 8.4
. A flow diagram for the key management phases
is presented in Figure 4
. Seven phase transitions
Figure 4: Key management phases.
Key Management: General
85
are identified in the diagram. A key shall not be able to transfer back to any previous phase.
Transition 1: A key is in the pre-operational phase upon generation pre-activation state. Transition 2: If keys are produced, but never used, they may be destroyed by transitioning
from the pre-operational phase directly to the destroyed phase. Transition 3: When a key in the pre-operational phase is compromised, it transitions to the
post-operational phase compromised state. Transition 4: After the required key metadata has been established, keying material has
been generated, and the metadata is associated with the key during the pre-operational phase, the key is ready to be used by applications and transitions to the operational
phase at the appropriate time.
Transition 5: When a key in the operational phase is compromised, it transitions to the post-operational phase compromised state.
Transition 6: When keys are no longer required for normal use i.e., the end of the cryptoperiod has been reached and the key is no longer “active”, but access to those
keys needs to be maintained, the key transitions to the post-operational phase. Transition 7: Some applications will require that access be preserved for a period of time,
and then the keying material may be
destroyed. When it is clear that a key in the
post-operational phase is no longer needed, it
may transition to the destroyed phase.
The combination of key states and key phases is illustrated in
Figure 5 .
The following subsections discuss the functions that are
performed in each phase of key management. A key-
management system may not have all identified functions,
since some functions may not be appropriate. In some cases,
one or more functions may be combined, or the functions may
be performed in a different
order. For example, a system may omit the functions of the
post-operational phase if keys are immediately destroyed when they are no longer used to apply cryptographic protection or
Figure 5: Key management states and phases.
Key Management: General
86 are compromised. In this case, keys would move from the operational phase directly to the
destroyed phase.
8.1 Pre-operational Phase