U.S. flag   An unofficial archive of your favorite United States government website
Dot gov

Official websites do not use .rip
We are an unofficial archive, replace .rip by .gov in the URL to access the official website. Access our document index here.

Https

We are building a provable archive!
A lock (Dot gov) or https:// don't prove our archive is authentic, only that you securely accessed it. Note that we are working to fix that :)

This is an archive
(replace .gov by .rip)

Cryptographic Key Management: What are Best Practices for Organizations? NIST Releases Draft Revision of Special Publication 800-57 Part 2
April 11, 2018

The management of cryptographic keys in cryptographic algorithms is critical to the security of these algorithms. It is a challenging side of cryptography because it requires user training, organizational and departmental interactions, and coordination among all who use these cryptographic keys.

Although organizations may generate keys for employees and distribute the keys to these employees, the only way to completely protect information being shared between any two or more entities using a cryptographic mechanism is for the underlying private or secret keys to be generated and passed to the intended recipient of the information by a completely secure (often manual) process. This approach is impractical for most organizations, so policies generally allow the organization to acquire or generate the private or secret keys on which the security of cryptographic mechanisms depends. Trust between an organization and the source of the private or secret keys used by its staff and associates must be established by agreement, documented by policy, and implemented within a key management infrastructure.

At the device or software application level, keying material needs to be provided, changed, and protected to enable cryptographic operation and preserve the integrity of cryptographic processes and their dependent services. But these mechanisms alone are not enough to ensure the protection of sensitive information.

To address these issues, NIST is updating Special Publication (SP) 800-57 Part 2, Recommendation for Key Management, Part 2: Best Practices for Key Management Organization. A draft of Revision 1 is now available for public comment. SP 800-57 Part 2, provides a framework and general guidance to support establishing cryptographic key management policies, procedures, and the key management infrastructure within an organization. This document also provides a basis for satisfying the key management aspects of statutory and policy security planning requirements for federal government organizations.

The document notes that in order for key management practices and procedures to be effectively employed, support for these practices and procedures at the highest levels of the organization is a practical necessity. The executive level of the organization needs to establish policies that identify executive-level key management roles and responsibilities for the organization. The key management policies need to support the establishment of, or access to, the services of a key management infrastructure and the employment and enforcement of key management practices and procedures.

A public comment period for this draft document is open until May 31, 2018.

Related Topics

Security and Privacy: key management

Created April 11, 2018, Updated June 22, 2020