This FAQ is about the keys used with cryptographic algorithms employed during communications and/or storage that are used, for example, to encrypt and decrypt data (providing confidentiality protection for that data) or to detect any modifications to the data,
Cryptographic key management involves the handling of cryptographic keys and other related security parameters during the entire lifecycle of the keys, including their generation, storage, distribution/establishment, use and destruction. CKM also includes the policies for selecting appropriate cryptographic algorithms and key sizes, the key-establishment schemes and protocols to utilize and support the generation or distribution of keys, the protection and maintenance of keys and related data, and the integration of key management with cryptographic technology to provide the required type and level of protection required by an organization.
The proper management of cryptographic keys is essential to the effective use of cryptography for security. A cryptographic key is analogous to the combination of a safe. If an adversary knows the combination, the strongest safe provides no security against penetration. Similarly, poor key management may easily compromise strong algorithms.
U.S. policy documents have made NIST responsible for developing Standards and Guidelines for the protection of sensitive, but unclassified, U.S. Federal information and for assisting national or international standards bodies in producing a range of standards, including those for protecting information and its processing. In fulfilling its responsibilities, NIST has established working relationships with security system developers, academic researchers, commercial vendors, government and public sector computer users, and network operators in developing and utilizing effective information security Standards and Guidelines.
General Key-Management Guidance:
Key Generation: The generation of keys using random bit generators.
Key Establishment: The agreement and/or transport of cryptographic keys using automated protocols (e.g., TLS and SSH):
Key Wrapping:
Key Derivation: The derivation of a cryptographic key from an already available key and other information.
Cryptographic algorithms are executed within cryptographic modules (see FIPS 140-2, Security Requirements for Cryptographic Modules ). The Cryptographic Algorithm Validation Program (CAVP) and Cryptographic Module Validation Program (CMVP) are responsible for testing against many of the publications listed above. Visit the CAVP and CMVP for information on algorithms currently being tested
Security and Privacy: key management