Key Management: General
70
modifications. The integrity of cryptographic information during transit shall be protected using one or more of the following mechanisms:
1. Manual method physical protection is provided: a An integrity mechanism e.g., a CRC, MAC or digital signature is used on the
information, and the resulting code is provided to the recipient for subsequent verification. Note: A CRC may be used instead of a MAC or digital signature, since
the physical protection is only intended to protect against intentional modifications.
-OR- b The keying material is used to perform the intended cryptographic operation. If the
received information does not conform to the expected format, or the data is inconsistent in the context of the application, then the keying material may have
been corrupted.
2. Automated distribution via communication protocols provided by the user or by the communication protocol:
a An approved cryptographic integrity mechanism e.g., a MAC or digital signature
is used on the information, and the resulting code is provided to the recipient for subsequent verification. Note that a CRC is not approved for this purpose. The
integrity mechanism may be applied only to the cryptographic information, or may be applied to an entire message.
-OR- b The keying material is used to perform the intended cryptographic operation. If the
use of the keying material produces incorrect results, or the data is inconsistent in the context of the application, then the received keying material may have been
corrupted.
The response to the detection of an integrity failure will vary, depending on the specific environment. Improper error handling can allow attacks e.g., side channel attacks. A security
policy see [ SP800-57, Part 2
] should define the response to such an event. For example, if an
error is detected in the received information, and the receiver requires that the information is entirely correct e.g., the receiver cannot proceed when the information is in error, then:
a. The information should not be used, b. The recipient may request that the information be resent retransmissions should be
limited to a predetermined maximum number of times, and
c. Information related to the incident should be stored in an audit log to later identify the
source of the error.
6.2.1.3 Confidentiality
Keying material may require confidentiality protection during transit. If confidentiality protection is required, the keying material shall be protected using one or more of the
following mechanisms:
1. Manual method:
Key Management: General
71
a The keying material is encrypted e.g., wrapped using an approved technique that
provides protection at a security strength that meets or exceeds the security strength required of the keying material.
-OR- b The keying material is separated into key components, with each key component
being generated at a security strength that meets or exceeds the security strength required of the keying material. Each key component is handled, using split-
knowledge procedures see Sections 8.1.5.2.1
and 8.1.5.2.2.1
, so that no single individual can acquire access to all key components.
-OR- c Appropriate physical and procedural protection is provided e.g., by using a trusted
courier. 2. Automated distribution via communication protocols: The keying material is encrypted
e.g., wrapped using an approved technique that provides protection at the security strength that meets or exceeds the security strength required of the keying material.
6.2.1.4 Association with Usage or Application
The association of keying material with its usage or application shall be either specifically identified during the distribution process or be implicitly defined by the use of the application.
See Section 6.2.3
for a discussion of the metadata associated with keys.
6.2.1.5 Association with Other Entities
The association of keying material with the appropriate entity e.g., the entity that shares the keying material shall be either specifically identified during the distribution process e.g.,
using public-key certificates or be implicitly defined by the use of the application. See Section
6.2.3 for a discussion of the metadata associated with keys.
6.2.1.6 Association with Other Related Information
Any association with other related information e.g., domain parameters, the encryptiondecryption key or IVs shall be either specifically identified during the distribution
process or be implicitly defined by the use of the application. See Section 6.2.3
for a discussion of the metadata associated with the other related information.
6.2.2 Protection Mechanisms for Information in Storage
Cryptographic information may be at rest in some device or storage media. This may include copies of the information that is also in transit or in use. Information-at-rest i.e., stored
information, including information contained within a cryptographic module shall be protected in accordance with
Section 6.1 . A variety of protection mechanisms may be used.
The cryptographic information may be stored so as to be immediately available to an application e.g., on a local hard disk or a server; this would be typical for keying material
stored within a cryptographic module or in immediately accessible storage e.g., on a local hard drive. The keying material may also be stored in electronic form on a removable media
e.g., a CD-ROM, in a remotely accessible location, or in hard copy form and placed in a safe; this would be typical for backup or archive storage.
Key Management: General
72
6.2.2.1 Availability
Cryptographic information may need to be readily available for as long as data is protected by the information. A common method for providing this protection is to make one or more copies
of the cryptographic information and store them in separate locations. During a key’s
cryptoperiod, keying material requiring long-term availability should be stored in both normal operational storage see
Section 8.2.1 and in backup storage see
Section 8.2.2.1 .
Cryptographic information that is retained after the end of a key’s cryptoperiod should be placed in archive storage see
Section 8.3.1 . This Recommendation does not preclude the use
of the same storage media for both backup and archive storage. Specifics on the long-term availability requirement for each key type are addressed for backup
storage in Section 8.2.2.1
, and for archive storage in Section 8.3.1
. The recovery of this cryptographic information for use in replacing cryptographic information
that is lost e.g., from normal storage, or in performing cryptographic operations after the end of a key’s cryptoperiod is discussed in Sections
8.2.2.2 recovery during normal operations
and 8.3.1
recovery from archive storage, and in Appendix B
. Even though the primary focus of this section is to provide assurance of the availability of
cryptographic information, there is at least one example where denying the availability of this information may be desired, namely when sanitizing large volumes of information that have
been encrypted. In this case, cryptographic sanitization i.e., destroying the key used to decrypt the information is suggested see [
SP 800-88 ].
6.2.2.2 Integrity
Integrity protection is concerned with ensuring that the information is correct. Absolute protection against modification is not possible. The best that can be done is to use reasonable
measures to prevent modifications, to use methods to detect any modifications that occur with a very high probability, and to restore the information to its original content when
unauthorized modifications have been detected.
All cryptographic information requires integrity protection. Integrity protection shall be provided by physical mechanisms, cryptographic mechanisms or both.
Physical mechanisms include the use of: 1. A validated cryptographic module or operating system that limits access to the stored
information, 2. A computer system or media that is not connected to other systems, and
3. A physically secure environment with appropriate access controls that is outside a computer system e.g., in a safe with limited access.
Cryptographic mechanisms include the use of:
a. An approved cryptographic integrity mechanism e.g., a MAC or digital signature that