Key Management: General 97

8.1.5.3.4 RBG Seeds

A Random Bit Generator RBG is a device or algorithm that outputs a sequence of bits that is unpredictable; RBGs are often called Random Number Generators. Approved RBGs are specified in [SP800-90] . RBGs depend on the introduction of truly random bits called seeds, which are used to initialize an RBG and that must be kept secret. An initialized RBG is often used to generate keys and other values requiring unpredictability. The seeds themselves shall not be used for any purpose other than RBG input. Seeds shall only be transmitted using secure channels that protect the confidentiality and integrity of the seeds, as well as providing replay protection 41 and mutual authentication 42 .

8.1.5.3.5 Other Public and Secret Information

Public and secret information may be used during the seeding of an RBG see Section 8.1.5.3.4 or during the generation or establishment of keying material see [SP800-56A] , [SP800-56B] and [SP800-108] . Public information may be distributed; secret information shall be protected in the same manner as a private or secret key during distribution. 8.1.5.3.6 Intermediate Results Intermediate results occur during computation using cryptographic algorithms. These results shall not be distributed as or with the keying material.

8.1.5.3.7 Random BitsNumbers

Random bits or numbers are used for many purposes, including the generation of keys and nonces, and the issuing of challenges during communication protocols. Random bits may be distributed, but whether or not confidentiality protection is required depends on the context in which the random bits are used.

8.1.5.3.8 Passwords

Passwords are used for identity authentication or authorization, and, in some cases, to derive keying material see [SP800-132] . Passwords may be distributed, but their protection during distribution shall be consistent with the protection required for their use. For example, if the password will be used to access cryptographic keys that are used to provide 128 bits of security strength when protecting data, then the password needs to be provided with at least 128 bits of protection as well. Note that poorly selected passwords may not themselves provide the required amount of protection for key access and are potentially the weak point of the process; i.e., it may be far easier to guess the password than to attempt to “break” the cryptographic protection used on the password. It is the responsibility of users and organizations to select passwords that provide the requisite amount of protection for the keys they protect.

8.1.6 Key Registration Function

Key registration results in the binding of keying material to information associated with a particular entity. Keys that would be registered include the public key of an asymmetric key pair and the symmetric key used to bootstrap an entity into a system. Normally, keys generated during communications e.g., using key-agreement schemes or key derivation functions would 41 Assurance that a valid data transmission is not maliciously or fraudulently repeated or delayed. 42 Authentication by each party in a transaction of the identity of the other party. Key Management: General 98 not be registered. Information provided during registration typically includes the identifier of the entity associated with the keying material and the intended use of the keying material e.g., as a signing key, data-encryption key, etc.. Additional information may include authorization information or specify a level of trust. The binding is performed after the entity’s identity has been authenticated by a means that is consistent with the system policy see Section 8.1.1 . The binding provides assurance to the community-at-large that the keying material is used by the correct entity in the correct application. The binding is often cryptographic, which creates a strong association between the keying material and the entity. A trusted third party performs the binding. Examples of a trusted third party include a Kerberos realm server or a PKI certification authority CA. Identifiers issued by a trusted third party shall be unique to that party. When a Kerberos realm server performs the binding, a symmetric key is stored on the server with the corresponding metadata. In this case, the registered keying material is maintained in secure storage i.e., the keys are provided with confidentiality and integrity protection. When a CA performs the binding, the public key and associated information often called attributes are placed in a public-key certificate, which is digitally signed by the CA. In this case, the registered keying material may be made publicly available. When a CA provides a certificate for a public key, the public key shall be verified to ensure that it is associated with the private key known by the purported owner of the public key. This provides assurance of possession. When POP is used to obtain assurance of possession, the assurance shall be accomplished as specified in Section 8.1.5.1.1.2 .

8.2 Operational Phase