On September 18, 2017 this (legacy) site will be replaced with the new site you can see at beta.csrc.nist.rip. At that time, links to this legacy site will be automatically redirected to apporpriate links on the new site.

View the beta site
NIST Logo and ITL Banner Link to the NIST Homepage Link to the ITL Homepage Link to the NIST Homepage

Key Management

About Key Management

Generally-speaking, there are two types of key establishment techniques: 1) techniques based on asymmetric (public key) algorithms, and 2) techniques based on symmetric (secret key) algorithms. However, hybrid techniques are also commonly used, whereby public key techniques are used to establish symmetric (secret) key encryption keys, which are then used to establish other symmetric (secret) keys.

Back to Top

Key Management Project

NIST recently announced a new Key Management Project. For more information see the Cryptographic Key Management Project homepage.

Back to Top

Key Management Guidelines

January 28, 2016: NIST announces the completion of Special Publication (SP) 800-57, Part 1 Rev. 4, Recommendation for Key Management, Part 1: General. This Recommendation provides general cryptographic key management guidance. The proper management of cryptographic keys is essential to the effective use of cryptography for security.

November 8, 2015: NIST announces the completion of Special Publication (SP) 800-131A, Rev. 1, Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths. SP 800-131A, Rev. 1 provides guidance for transitions to the use of stronger cryptographic keys and more robust algorithms by Federal government agencies when protecting sensitive, but unclassified information. 

October 30, 2015: NIST announces the publication of Special Publication (SP) 800-152: A Profile for U. S. Federal Cryptographic Key Management Systems. This document contains requirements for the design, implementation, procurement, installation, configuration, management, operation, and use of a Key Management System by U. S. Federal organizations. The Profile is based on NIST Special Publication (SP) 800-130: A Framework for Designing Cryptographic Key Management Systems (CKMS).

Final comments received for final draft of SP 800-152.

September 10, 2015: NIST requests comments on Draft Special Publication 800-57 Part 1-Rev. 4 Recommendation for Key Management: Part 1: General. This Recommendation provides general guidance and best practices for the management of cryptographic keying material. A list of changes is provided in Appendix D of the document. The comment period ended October 31, 2015.

Comments received on NIST SP 800-57, Part 1, Rev 4 (by 10/31/15 deadline)

July 10, 2015: Update - See November 8, 2015 entry above. NIST requests comments on a revision of Special Publication (SP) 800-131A, Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths, which was originally published in January 2011.

Comments received on NIST SP 800-131A (by the August 14, 2015 deadline).


January 23, 2015: Special Publication 800-57, Part 3, Revision 1, Recommendation for Key Management, Part 3: Application-Specific Key Management Guidance, is intended primarily to help system administrators and system installers adequately secure applications based on product availability and organizational needs and to support organizational decisions about future procurements. This document also provides information for end users regarding application options left under their control in a normal use of the application.
 
This revision updates cryptographic requirements for the protocols and applications in the document so that the current required security strengths, as specified in SP 800-131A, can be achieved. This revision also adds security-related updates from the protocols addressed in the original version of the document, as well as a new section for Secure Shell (SSH).
 
The applications and protocols addressed in this revision are: Public Key Infrastructures (PKI), Internet Protocol Security (IPsec), Secure/Multipurpose Internet Mail Extensions (S/MIME), Kerberos, Over-the-Air Rekeying of Digital Radios (OTAR), Domain Name System Security Extensions (DNSSEC), Encrypted File Systems (EFS) and Secure Shell (SSH).


December 18, 2014: Please see October 30, 2015 entry (above) for latest version. NIST requested comments on DRAFT Special Publication (SP) 800-152, A Profile for U.S. Federal Cryptographic Key Management Systems. . The public comment period ended February 18, 2015.

Note that these comments will be posted for public review. Note that this revision includes references to some of the security controls in SP 800-53. Comments on the accuracy of these references would be appreciated

Comments received on SP 800-152 (by 2/18/15 deadline)


May 5, 2014: NIST would like to request comments on a Draft Revision of SP 800-57 Part 3, Recommendation for Key Management: Application-Specific Key Management Guidance.
 
This revision updates cryptographic requirements for the protocols and applications in the document so that the current required security strengths, as specified in SP 800-131A, can be achieved. This revision also adds security-related updates from the protocols addressed in the original version of the document, and a new section for Secure Shell (SSH).
 
Comments should be sent to SP80057Part3@nist.gov, with "Comments on SP 800-57, Part 3" in the subject line. Comments should be submitted by July 5th, 2014.

January 6, 2014: Please see October 30, 2016 entry (above) for latest version. NIST requested comments on NIST Special Publication (SP) 800-152, A Profile for U.S. Federal Cryptographic Key Management Systems.The public comment period ended March 5, 2014.


August 15, 2013: NIST announces the completion of NIST Special Publication (SP) 800-130, A Framework for Designing Cryptographic Key Management Systems. This publication contains a description of the topics to be considered and the documentation requirements to be addressed when designing a CKMS. The CKMS designer satisfies the requirements by selecting the policies, procedures, components (hardware, software, and firmware), and devices (groups of components) to be incorporated into the CKMS, and then specifying how these items are employed to meet the requirements of this Framework.

December 21, 2012: NIST announces the completion of NIST Special Publication (SP) 800-133, Recommendation for Cryptographic Key Generation. This Recommendation discusses the generation of the keys to be used with NIST-approved cryptographic algorithms. The keys are either generated using mathematical processing on the output of approved Random Bit Generators, or generated based upon keys that are generated in this fashion.

August 8, 2012: Please see October 30, 2015 entry (above) for latest version. NIST requests comments on draft NIST Special Publication 800-152, A Profile for U. S. Federal Cryptographic Key Management Systems (CKMS). The public comment period ended October 10, 2012.

July 9, 2012: NIST announces the completion of Revision 3 of Special Publication (SP) 800-57, Part 1, Recommendation for Key Management, Part 1: General. This publication contains basic key management guidance, including the security services that may be provided and the key types that may be employed in using cryptographic mechanisms, the functions involved in key management, and the protections and handling required for cryptographic keys. This revision aligns the document with SP 800-131A , as well as providing a general update of the document.

January 13, 2011: Update - Please see November 8, 2015 entry above.
NIST announces the completion of Special Publication (SP) 800-131A, Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths.


SP 800-57 Part 2, Recommendation for Key Management - Part 2: Best Practices for Key Management Organizations provides guidance for system and application owners for use in identifying appropriate organizational key management infrastructures, establishing organizational key management policies, and specifying organizational key management practices. Public comments are available for Part 2 draft.

Back to Top

Key Establishment

June 5, 2013: NIST announces the completion of SP 800-56A Revision 2: Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography. The revisions are made on the March 2007 version of this Recommendation. The major revisions are summarized in Appendix D.

Public Comments on NIST Draft Special Publication 800-56A Revision 2

March 12, 2014: NIST requests comments on the draft revision of Special Publication 800-56B, Recommendation for Pair-Wise Key Establishment Schemes Using Integer Factorization Cryptography. SP 800-56B specifies key-establishment schemes based on the Rivest Shamir Adleman (RSA) algorithm. The revision is made on the August 2009 version. The main changes are listed in Appendix D.

Please submit comments to 56B2014rev-comments@nist.gov with "Comments on SP 800-56B (Revision)" in the subject line. The comment period closes on May 15, 2014.

The comment period for the draft revision of NIST SP 800-56B has been extended to May 30, 2014.


December 11, 2011: NIST announces the completion of NIST SP 800-56C, Recommendation for Key Derivation through Extraction-then-Expansion. This Recommendation specifies techniques for the derivation of keying material from a shared secret established during a key establishment scheme defined in NIST Special Publications 800-56A or 800-56B through an extraction-then-expansion procedure.

December 2012: NIST has published an ITL Bulletin that summarizes NIST SP 800-133: Recommendation for Cryptographic Key Generation.

A specification is available for Approved methods for key-wrapping using symmetric keys.

 

Back to Top

Comments

NIST welcomes the submission of comments on this project at any time. Comments on the Key Management Guideline should be addressed to GuidelineComments@nist.gov. Comments on the Key Establishment Schemes document should be addressed to kmscomments@nist.gov.

Comments on the previous draft of the Recommendation for Key Management - Part 1.

Back to Top

Testing

Testing is currently available for SP 800-56A. For more inforation see the Cryptographic Algorithm Validation Program (CAVP) homepage.

Back to Top

Additional Information

 

Back to Top

Future Plans

For information about works in progess in the Key Management area, see the Cryptographic Key Management Project homepage.

Note: An algorithm or technique that is either specified in a FIPS or NIST Recommendation.