Computer Security Resource Center

Computer Security Resource Center

Computer Security
Resource Center

Key Management

Key Management Guidelines

The following publications provide general key management guidance:

Recommendation for Key Management

  • SP 800-57 Part 1, General
    • This Recommendation provides cryptographic key management guidance. It consists of three parts. Part 1 provides general guidance and best practices for the management of cryptographic keying material. Part 2 provides guidance on policy and security planning requirements for U.S. government agencies. Finally, Part 3 provides guidance when using the cryptographic features of current systems.
       
  • SP 800-57 Part 2, Best Practices for Key Management Organizations
    • This Recommendation provides cryptographic key management guidance. It consists of three parts. Part 1 provides general guidance and best practices for the management of cryptographic keying material. Part 2 provides guidance on policy and security planning requirements for U.S. government agencies. Finally, Part 3 provides guidance when using the cryptographic features of current systems.
    • November 20, 2018:  NIST invites comments on this second draft of Special Publication (SP) 800-57 Part 2Recommendation for Key Management, Part 2: Best Practices for Key Management Organizations (2nd Draft).  Part 2 provides guidance when using the cryptographic features of current systems. This revision:
    1. identifies the concepts, functions and elements common to effective systems for the management of symmetric and asymmetric keys;
    2. identifies the security planning requirements and documentation necessary for effective institutional key management;
    3. describes key management specification requirements;
    4. describes cryptographic key management policy documentation that is needed by organizations that use cryptography; and
    5. describes key management practice statement requirements 

The public comment period for this document is open until January 21, 2019.

  • SP 800-57 Part 3, Application-Specific Key Management Guidance
    • NIST Special Publication 800-57 provides cryptographic key management guidance. It consists of three parts. Part 1 provides general guidance and best practices for the management of cryptographic keying material. Part 2 provides guidance on policy and security planning requirements for U.S. government agencies. Finally, Part 3 provides guidance when using the cryptographic features of current systems.
       

Key Management Transitions

  • SP 800-131A, Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths
    • Provides guidance for transitions to the use of stronger cryptographic keys and more robust algorithms by federal agencies when protecting sensitive, but unclassified information.
    • July 19, 2018:  NIST is updating its guidance for transitioning to the use of stronger cryptographic keys and more robust algorithms by federal agencies to protect sensitive, but unclassified, information. This is the second update to NIST Special Publication (SP) 800-131A, Transitioning the Use of Cryptographic Algorithms and Key Lengths, since its initial publication in 2011. These transitions are meant to address the challenges posed by new cryptanalysis, the increasing power of classical computing technology, and the potential emergence of quantum computers.This revision includes a strategy and schedule for retiring the use of the Triple Data Encryption Algorithm (TDEA) specified in SP 800-67, Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher. Other proposed changes are listed in Appendix B.

Created January 04, 2017, Updated November 20, 2018