NIST Logo and ITL Banner Link to the NIST Homepage Link to the ITL Homepage Link to the NIST Homepage
Search CSRC:

Key Management

About Key Management

Generally-speaking, there are two types of key establishment techniques: 1) techniques based on asymmetric (public key) algorithms, and 2) techniques based on symmetric (secret key) algorithms. However, hybrid techniques are also commonly used, whereby public key techniques are used to establish symmetric (secret) key encryption keys, which are then used to establish other symmetric (secret) keys.

Back to Top

Key Management Project

NIST recently announced a new Key Management Project. For more information see the Cryptographic Key Management Project homepage.

Back to Top

Key Management Guidelines

December 21, 2012: NIST announces the completion of NIST Special Publication (SP) 800-133, Recommendation for Cryptographic Key Generation. This Recommendation discusses the generation of the keys to be used with NIST-approved cryptographic algorithms. The keys are either generated using mathematical processing on the output of approved Random Bit Generators, or generated based upon keys that are generated in this fashion.

August 8, 2012: NIST requests comments on draft NIST Special Publication 800-152, A Profile for U. S. Federal Cryptographic Key Management Systems (CKMS). This Profile will be based on the Special Publication 800-130, entitled “A Framework for Designing Cryptographic Key Management Systems.” The Framework covers topics that should be considered by a product or system designer when designing a CKMS and specifies requirements for the design and its documentation. The Profile, however, will cover not only a CKMS design, but also its procurement, installation, management, and operation throughout its lifetime. Please provide comments by October 10, 2012 to ckmsdesignframework@nist.gov, with "Comments on SP 800-152 Profile Requirements" in the subject line.

July 9, 2012: NIST announces the completion of Revision 3 of Special Publication (SP) 800-57, Part 1, Recommendation for Key Management, Part 1: General. This publication contains basic key management guidance, including the security services that may be provided and the key types that may be employed in using cryptographic mechanisms, the functions involved in key management, and the protections and handling required for cryptographic keys. This revision aligns the document with SP 800-131A , as well as providing a general update of the document.

April 13, 2012: NIST requests comments on a draft revision of SP 800-130, A Framework for Designing Cryptographic Key Management Systems. This is a revision of the document that was provided for public comment in June 2010. Comments are requested by July 30, 2012 and should be sent to ckmsdesignframework@nist.gov, with "Comments on SP 800-130" in the subject line.

January 13, 2011: NIST announces the completion of Special Publication (SP) 800-131A, Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths. This Recommendation provides the approach for transitioning from the use of one algorithm or key length to another, as initially addressed in Part 1 of SP 800-57. SP 800-131B, Transitions: Validation of Transitioning Cryptographic Algorithms and Key Lengths, is under development and will address the validation of cryptographic modules during the transition period.

SP 800-57 Part 2, Recommendation for Key Management - Part 2: Best Practices for Key Management Organizations provides guidance for system and application owners for use in identifying appropriate organizational key management infrastructures, establishing organizational key management policies, and specifying organizational key management practices. Public comments are available for Part 2 draft.

SP 800-57, Part 3 Recommendation for Key Management - Part 3: Application-Specific Key Management Guidance. NIST announces the release of Part 3 of Special Publication 800-57, Recommendation for Key Management: Application-Specific Key Management Guidance. This Recommendation provides guidance when using the cryptographic features of current systems. It is intended to help system administrators and system installers adequately secure applications based on product availability and organizational needs, and to support organizational decisions about future procurements. The guide also provides information for end users regarding application options left under their control in the normal use of the application. Recommendations are given for a select set of applications, namely: PKI, IPsec, TLS, S/MIME, Kerberos, OTAR, DNSSEC and Encrypted File Systems.

Back to Top

Key Establishment

The Recommendation for Key Establishment Schemes is under development and has been divided into two parts. SP 800-56A has been updated (March 2007). SP 800-56A, Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography specifies key establishment schemes based on standards developed by the Accredited Standards Committee (ASC) X9, Inc.: ANS X9.42 (Agreement of Symmetric Keys Using Discrete Logarithm Cryptography) and ANS X9.63 (Key Agreement and Key Transport Using Elliptic Curve Cryptography).

August 27, 2009: NIST announces the completion of SP 800-56B, Recommendation for Pair-Wise Key Establishment Schemes Using Integer Factorization Cryptography. This Recommendation provides the specifications of key establishment schemes that are based on a standard developed by the Accredited Standards Committee (ASC) X9, Inc.: ANS X9.44, Key Establishment using Integer Factorization Cryptography. SP 800-56B provides asymmetric-based key agreement and key transport schemes that are based on the Rivest Shamir Adleman (RSA) algorithm.

December 11, 2011: NIST announces the completion of NIST SP 800-56C, Recommendation for Key Derivation through Extraction-then-Expansion. This Recommendation specifies techniques for the derivation of keying material from a shared secret established during a key establishment scheme defined in NIST Special Publications 800-56A or 800-56B through an extraction-then-expansion procedure.

December 2012: NIST has published an ITL Bulletin that summarizes NIST SP 800-133: Recommendation for Cryptographic Key Generation.

A specification is available for Approved methods for key-wrapping using symmetric keys.

 

Back to Top

Comments

NIST welcomes the submission of comments on this project at any time. Comments on the Key Management Guideline should be addressed to GuidelineComments@nist.gov. Comments on the Key Establishment Schemes document should be addressed to kmscomments@nist.gov.

Comments on the previous draft of the Recommendation for Key Management - Part 1.

Back to Top

Testing

Testing is currently available for SP 800-56A. For more inforation see the Cryptographic Algorithm Validation Program (CAVP) homepage.

Back to Top

Additional Information

 

Back to Top

Future Plans

For information about works in progess in the Key Management area, see the Cryptographic Key Management Project homepage.

Note: An algorithm or technique that is either specified in a FIPS or NIST Recommendation.