Cryptography is the foundation of protecting electronic data and cyber security. Encryption can effectively prevent breaches while also protecting both consumer privacy and sensitive data.In recent years private corporations such as Target and Federal government agencies such as the United States Federal Bureau of Investigations have experienced breaches resulting in lost or stolen data.
With effective cryptographic key management, data that is encrypted can still be protected even in the event of a breach, since encrypted data cannot be decrypted without the right keys. Proper usage of encryption and key management will assist an organization’s efforts to protect their data. The National Institute of Standards and Technology’s (NIST) SP 80057 “Recommendations for Key Management” (Part 1, Revision 4) provides an updated guideline for general cryptographic key management. Since its original version published in 2005, SP 80057 has been through a number of revisions in 2006, 2007, 2011, and 2015.
The NIST SP 80057 standard emphasizes how critical key management is. To be effective, encryption requires confidential and strong keys to protect against breaches. Data protected by cryptography is dependent upon the strength of the keys along with the mechanisms and protocols used in association with those keys. Secret and private keys must be held securely without unauthorized disclosure and protected from modifications. During their entire life cycle, keys must be managed with proper procedures and protocols to ensure they are not compromised. From the moment of their generation and throughout distribution, storage, entry, use, destruction and archival, keys must be handled with established protocols. Effective key management helps to provide a strong and secure foundation “for generation, storage, distribution, use and destruction of keys.” (NIST SP 80057)
In 2015, SP 80057 was revised with several updates. Just some of the areas that received updates include Digital Signatures, Key Derivation, and Key Transport. The latest version also contains new cryptographic standards such as SP 800152, FIPS 180, and FIPS 202.
NIST revised the standard to better align with requirements needed to meet the Federal Information Processing Standard (FIPS). NIST now uses firmer language, replacing “should” with “shall.” Algorithm and key size is now included in security strength along with recommendations for approved asymmetric and symmetric algorithms taking into account the size of keys being used. NIST goes on to revise the standard for digital signature generation with SHA1 no longer being approved for hashing algorithms, updating to SHA3. (NIST SP 80057)
Integrity and confidentiality protection measures are more aligned with SP 800152 “A Profile for U.S. Federal Cryptographic Key Management Systems.” The key lifecycle was updated to included a “suspended state” where a key being used is either suspended or a digital signature owner is not available. Another change is the removal of the “key update” process, which also aligns with SP 800152.
SP 800152 was based on SP 800130 “A Framework for Designing Cryptographic and Key Management Systems.” The publication covers topics of consideration and documentation requirements when designing a CKMS. The standard includes requirements for policy, procedure, and all components including hardware, software, and firmware.
These revisions provide the necessary updates to improve a standard for cryptographic key managers. The standard can assist and provide a guideline of best practices for both developers and system administrators. With effective adherence to the guideline organizations can increase their level of cybersecurity and continue to effectively mitigate risks associated with protecting sensitive data.
References and Further Reading
- Selected articles on Key Management (2012-16), by Ashiq JA, Chuck Easttom, Dawn M. Turner, Guillaume Forget, James H. Reinholm, Matt Landrock, Peter Landrock, Steve Marshall, Torben Pedersen, Maria Stokes, John Trankenschuh and more
- “Cybersecurity Incidents What Happened.” (2016), the United States Office of Personnel Management.
- FIPS Pub 180-4: Secure Hash Standard (SHS), by the National Institute of Standards and Technology, 2015.
- NIST Special Publication 80057 Part 1 Revision 4 Recommendation for Key Management Part 1: General, by the National Institute of Standards and Technology, USA.
- NIST Special Publication 800152: A Profile for U.S. Federal Cryptographic Key Management Systems, by the National Institute of Standards and Technology, USA.
- NIST Special Publication 800130: Framework for Designing Cryptographic Key Management Systems (2013), by the National Institute of Standards and Technology, USA.
- Target Confirms Unauthorized Access to Payment Card Data in U.S. Stores (2013), by Target Corporate, USA.
Image: Data Breach, courtesy of Blogtrepreneur, Flickr (CC BY 2.0)