NIST Logo and ITL Banner Link to the NIST Homepage Link to the ITL Homepage Link to the NIST Homepage
Search CSRC:

Key Management

About Key Management

Generally-speaking, there are two types of key establishment techniques: 1) techniques based on asymmetric (public key) algorithms, and 2) techniques based on symmetric (secret key) algorithms. However, hybrid techniques are also commonly used, whereby public key techniques are used to establish symmetric (secret) key encryption keys, which are then used to establish other symmetric (secret) keys.

Back to Top

Key Management Project

NIST recently announced a new Key Management Project. For more information see the Cryptographic Key Management Project homepage.

Back to Top

Key Management Guidelines

NEW! December 18, 2014: NIST requests comments on DRAFT Special Publication (SP) 800-152, A Profile for U.S. Federal Cryptographic Key Management Systems. This Profile is based on NIST Special Publication (SP) 800-130, A Framework for Designing Cryptographic Key Management Systems, and has been prepared to assist Cryptographic Key Management System (CKMS) designers and implementers in selecting the features to be provided in their “products,” and to assist Federal organizations and their contractors when procuring, installing, configuring, operating, and using a Federal Cryptographic Key Management System (FCKMS). Please send comments by February 18, 2015 to FederalCKMSProfile@nist.gov, with "Comments on SP 800-152" in the subject line. A template has been provided.

Note that these comments will be posted for public review. Note that this revision includes references to some of the security controls in SP 800-53. Comments on the accuracy of these references would be appreciated


May 5, 2014:
NIST would like to request comments on a Draft Revision of SP 800-57 Part 3, Recommendation for Key Management: Application-Specific Key Management Guidance.
 
This revision updates cryptographic requirements for the protocols and applications in the document so that the current required security strengths, as specified in SP 800-131A, can be achieved. This revision also adds security-related updates from the protocols addressed in the original version of the document, and a new section for Secure Shell (SSH).
 
Comments should be sent to SP80057Part3@nist.gov, with "Comments on SP 800-57, Part 3" in the subject line. Comments should be submitted by July 5th, 2014.

January 6, 2014: Please see December 18, 2014 entry (above) for latest version. NIST requests comments on NIST Special Publication (SP) 800-152, A Profile for U.S. Federal Cryptographic Key Management Systems. SP 800-152 contains requirements for the design, implementation, procurement, installation, configuration, management, operation, and use of a CKMS by U. S. Federal organizations. The Profile is based on NIST SP 800-130, A Framework for Designing Cryptographic Key Management Systems (CKMS). The public comment period ended March 5, 2014.


August 15, 2013
: NIST announces the completion of NIST Special Publication (SP) 800-130, A Framework for Designing Cryptographic Key Management Systems. This publication contains a description of the topics to be considered and the documentation requirements to be addressed when designing a CKMS. The CKMS designer satisfies the requirements by selecting the policies, procedures, components (hardware, software, and firmware), and devices (groups of components) to be incorporated into the CKMS, and then specifying how these items are employed to meet the requirements of this Framework.

December 21, 2012: NIST announces the completion of NIST Special Publication (SP) 800-133, Recommendation for Cryptographic Key Generation. This Recommendation discusses the generation of the keys to be used with NIST-approved cryptographic algorithms. The keys are either generated using mathematical processing on the output of approved Random Bit Generators, or generated based upon keys that are generated in this fashion.

August 8, 2012: Please see December 18, 2014 entry (above) for latest version. NIST requests comments on draft NIST Special Publication 800-152, A Profile for U. S. Federal Cryptographic Key Management Systems (CKMS). This Profile will be based on the Special Publication 800-130, entitled “A Framework for Designing Cryptographic Key Management Systems.” The Framework covers topics that should be considered by a product or system designer when designing a CKMS and specifies requirements for the design and its documentation. The Profile, however, will cover not only a CKMS design, but also its procurement, installation, management, and operation throughout its lifetime. The public comment period ended October 10, 2012.

July 9, 2012: NIST announces the completion of Revision 3 of Special Publication (SP) 800-57, Part 1, Recommendation for Key Management, Part 1: General. This publication contains basic key management guidance, including the security services that may be provided and the key types that may be employed in using cryptographic mechanisms, the functions involved in key management, and the protections and handling required for cryptographic keys. This revision aligns the document with SP 800-131A , as well as providing a general update of the document.

January 13, 2011: NIST announces the completion of Special Publication (SP) 800-131A, Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths. This Recommendation provides the approach for transitioning from the use of one algorithm or key length to another, as initially addressed in Part 1 of SP 800-57. SP 800-131B, Transitions: Validation of Transitioning Cryptographic Algorithms and Key Lengths, is under development and will address the validation of cryptographic modules during the transition period.

SP 800-57 Part 2, Recommendation for Key Management - Part 2: Best Practices for Key Management Organizations provides guidance for system and application owners for use in identifying appropriate organizational key management infrastructures, establishing organizational key management policies, and specifying organizational key management practices. Public comments are available for Part 2 draft.

 

Back to Top

Key Establishment

June 5, 2013: NIST announces the completion of SP 800-56A Revision 2: Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography. The revisions are made on the March 2007 version of this Recommendation. The major revisions are summarized in Appendix D.

Public Comments on NIST Draft Special Publication 800-56A Revision 2

March 12, 2014: NIST requests comments on the draft revision of Special Publication 800-56B, Recommendation for Pair-Wise Key Establishment Schemes Using Integer Factorization Cryptography. SP 800-56B specifies key-establishment schemes based on the Rivest Shamir Adleman (RSA) algorithm. The revision is made on the August 2009 version. The main changes are listed in Appendix D.

Please submit comments to 56B2014rev-comments@nist.gov with "Comments on SP 800-56B (Revision)" in the subject line. The comment period closes on May 15, 2014.

The comment period for the draft revision of NIST SP 800-56B has been extended to May 30, 2014.


December 11, 2011:
NIST announces the completion of NIST SP 800-56C, Recommendation for Key Derivation through Extraction-then-Expansion. This Recommendation specifies techniques for the derivation of keying material from a shared secret established during a key establishment scheme defined in NIST Special Publications 800-56A or 800-56B through an extraction-then-expansion procedure.

December 2012: NIST has published an ITL Bulletin that summarizes NIST SP 800-133: Recommendation for Cryptographic Key Generation.

A specification is available for Approved methods for key-wrapping using symmetric keys.

 

Back to Top

Comments

NIST welcomes the submission of comments on this project at any time. Comments on the Key Management Guideline should be addressed to GuidelineComments@nist.gov. Comments on the Key Establishment Schemes document should be addressed to kmscomments@nist.gov.

Comments on the previous draft of the Recommendation for Key Management - Part 1.

Back to Top

Testing

Testing is currently available for SP 800-56A. For more inforation see the Cryptographic Algorithm Validation Program (CAVP) homepage.

Back to Top

Additional Information

 

Back to Top

Future Plans

For information about works in progess in the Key Management area, see the Cryptographic Key Management Project homepage.

Note: An algorithm or technique that is either specified in a FIPS or NIST Recommendation.