The management of cryptographic keys in cryptographic algorithms is critical to the security of these algorithms. It is a challenging side of cryptography because it requires user training, organizational and departmental interactions, and coordination among all who use these cryptographic keys.
Although organizations may generate keys for employees and distribute the keys to these employees, the only way to completely protect information being shared between any two or more entities using a cryptographic mechanism is for the underlying private or secret keys to be generated and passed to the intended recipient of the information by a completely secure (often manual) process. This approach is impractical for most organizations, so policies generally allow the organization to acquire or generate the private or secret keys on which the security of cryptographic mechanisms depends. Trust between an organization and the source of the private or secret keys used by its staff and associates must be established by agreement, documented by policy, and implemented within a key management infrastructure.
At the device or software application level, keying material needs to be provided, changed, and protected to enable cryptographic operation and preserve the integrity of cryptographic processes and their dependent services. But these mechanisms alone are not enough to ensure the protection of sensitive information.
To address these issues, NIST is updating Special Publication (SP) 800-57 Part 2, Recommendation for Key Management, Part 2: Best Practices for Key Management Organization. A draft of Revision 1 is now available for public comment. SP 800-57 Part 2, provides a framework and general guidance to support establishing cryptographic key management policies, procedures, and the key management infrastructure within an organization. This document also provides a basis for satisfying the key management aspects of statutory and policy security planning requirements for federal government organizations.
The document notes that in order for key management practices and procedures to be effectively employed, support for these practices and procedures at the highest levels of the organization is a practical necessity. The executive level of the organization needs to establish policies that identify executive-level key management roles and responsibilities for the organization. The key management policies need to support the establishment of, or access to, the services of a key management infrastructure and the employment and enforcement of key management practices and procedures.
A public comment period for this draft document is open until May 31, 2018.