Recommendation for Key Management Part 3: Application-Specific Key Management Guidance

Special Publication 800-57 provides cryptographic key management guidance. It consists of three parts. Part 1 provides general guidance and best practices for the management of cryptographic keying material. Part 2 provides guidance on policy and security planning requirements for U.S. government agencies. Finally, Part 3 provides guidance when using the cryptographic features of current systems.

[1]  Simon Josefsson,et al.  Internet Engineering Task Force (ietf) Using Kerberos Version 5 over the Transport Layer Security (tls) Protocol , 2011 .

[2]  Kevin M. Igoe Suite B Cryptographic Suites for Secure Shell (SSH) , 2011, RFC.

[3]  Sam Hartman,et al.  A Generalized Framework for Kerberos Pre-Authentication , 2011, RFC.

[4]  Douglas Stebila,et al.  X.509v3 Certificates for Secure Shell Authentication , 2011, RFC.

[5]  Elaine B. Barker,et al.  Transitioning the use of cryptographic algorithms and key lengths , 2011 .

[6]  Quynh H. Dang,et al.  Recommendation for Existing Application-Specific Key Derivation Functions , 2010 .

[7]  Paul E. Hoffman,et al.  Internet Key Exchange Protocol Version 2 (IKEv2) , 2010, RFC.

[8]  Jerome A. Solinas,et al.  Internet Engineering Task Force (ietf) Elliptic Curve Groups modulo a Prime (ecp Groups) for Ike and Ikev2 , 2010 .

[9]  Blake Ramsdell,et al.  Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.2 Message Specification , 2010, RFC.

[10]  Douglas Stebila,et al.  Elliptic Curve Algorithm Integration in the Secure Shell Transport Layer , 2009, RFC.

[11]  Elaine B. Barker,et al.  Recommendation for Pair-Wise Key Establishment Schemes Using Integer Factorization Cryptography | NIST , 2009 .

[12]  Jerome A. Solinas,et al.  AES Galois Counter Mode for the Secure Shell Transport Layer Protocol , 2009, RFC.

[13]  Karen A. Scarfone,et al.  Guide to Enterprise Password Management , 2009 .

[14]  Russ Housley,et al.  Cryptographic Message Syntax (CMS) , 2002, RFC.

[15]  Kristin E. Lauter,et al.  Elliptic Curve Cryptography (ECC) Support for Public Key Cryptography for Initial Authentication in Kerberos (PKINIT) , 2008, RFC.

[16]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.2 , 2008, RFC.

[17]  Douglas C. Montgomery,et al.  A Profile for IPv6 in the U.S. Government - Version 1.0 , 2008 .

[18]  Vivek Kapoor,et al.  Elliptic curve cryptography , 2008, UBIQ.

[19]  Ben Laurie,et al.  DNS Security (DNSSEC) Hashed Authenticated Denial of Existence , 2008, RFC.

[20]  Stephen T. Kent,et al.  Additional Diffie-Hellman Groups for Use with IETF Standards , 2008, RFC.

[21]  Russ Housley,et al.  Suite B in Secure/Multipurpose Internet Mail Extensions (S/MIME) , 2007, RFC.

[22]  Ryan Hurst,et al.  The Lightweight Online Certificate Status Protocol (OCSP) Profile for High-Volume Environments , 2007, RFC.

[23]  Jim Schaad,et al.  Enhanced Security Services (ESS) Update: Adding CertID Algorithm Agility , 2007, RFC.

[24]  Jerome A. Solinas,et al.  Suite B Cryptographic Suites for IPsec , 2011, RFC.

[25]  Sheila Frankel,et al.  Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 with IPsec , 2007, RFC.

[26]  Vishwas Manral,et al.  Cryptographic Algorithm Implementation Requirements for Encapsulating Security Payload (ESP) and Authentication Header (AH) , 2005, RFC.

[27]  Elaine B. Barker,et al.  Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography , 2007 .

[28]  Elaine B. Barker,et al.  Recommendation for Random Number Generation Using Deterministic Random Bit Generators , 2007 .

[29]  Jerome A. Solinas,et al.  IKE and IKEv2 Authentication Using the Elliptic Curve Digital Signature Algorithm (ECDSA) , 2007, RFC.

[30]  Elaine B. Barker,et al.  Recommendation for Obtaining Assurances for Digital Signature Applications , 2006 .

[31]  Paul E. Hoffman,et al.  IKEv2 Clarifications and Implementation Guidelines , 2006, RFC.

[32]  Larry Zhu,et al.  Public Key Cryptography for Initial Authentication in Kerberos (PKINIT) , 2006, RFC.

[33]  Jim Sermersheim,et al.  Lightweight Directory Access Protocol (LDAP): The Protocol , 2006, RFC.

[34]  Kurt D. Zeilenga,et al.  Lightweight Directory Access Protocol (LDAP): Directory Information Models , 2006, RFC.

[35]  Von Welch,et al.  Generic Security Service Application Program Interface (GSS-API) Authentication and Key Exchange for the Secure Shell (SSH) Protocol , 2006, RFC.

[36]  John Viega,et al.  The Use of Galois Message Authentication Code (GMAC) in IPsec ESP and AH , 2006, RFC.

[37]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.1 , 2006, RFC.

[38]  Niels Provos,et al.  Diffie-Hellman Group Exchange for the Secure Shell (SSH) Transport Layer Protocol , 2006, RFC.

[39]  Tatu Ylönen,et al.  The Secure Shell (SSH) Authentication Protocol , 2006, RFC.

[40]  Tatu Ylönen,et al.  The Secure Shell (SSH) Connection Protocol , 2006, RFC.

[41]  M. Bevilacqua,et al.  Lightweight Directory Access Protocol LDAP , 2006 .

[42]  Wesley Griffin,et al.  Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints , 2006, RFC.

[43]  Paul E. Hoffman,et al.  Cryptographic Suites for IPsec , 2005, RFC.

[44]  Angela Orebaugh,et al.  Guide to IPsec VPNs , 2005 .

[45]  Charlie Kaufman,et al.  Internet Key Exchange (IKEv2) Protocol , 2005, RFC.

[46]  Jeffrey I. Schiller,et al.  Cryptographic Algorithms for Use in the Internet Key Exchange Version 2 (IKEv2) , 2005, RFC.

[47]  David A. Cooper,et al.  Guidelines for the selection, configuration, and use of Transport Layer Security (TLS) implementations , 2005 .

[48]  John Viega,et al.  The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating Security Payload (ESP) , 2005, RFC.

[49]  Paul E. Hoffman,et al.  Algorithms for Internet Key Exchange version 1 (IKEv1) , 2005, RFC.

[50]  Scott Rose,et al.  Resource Records for the DNS Security Extensions , 2005, RFC.

[51]  Scott Rose,et al.  Protocol Modifications for the DNS Security Extensions , 2005, RFC.

[52]  Personal Identity Verification (PIV) of Federal Employees and Contractors , 2005 .

[53]  Kenneth Raeburn,et al.  Advanced Encryption Standard (AES) Encryption for Kerberos 5 , 2005, RFC.

[54]  S. Kent IP Authentication Header , 2002 .

[55]  Stephen Farrell,et al.  Internet X.509 Public Key Infrastructure Certificate Management Protocol (CMP) , 2005, RFC.

[56]  Russ Housley,et al.  Using Advanced Encryption Standard (AES) CCM Mode with IPsec Encapsulating Security Payload (ESP) , 2005, RFC.

[57]  Blake Ramsdell,et al.  Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.1 Message Specification , 2004, RFC.

[58]  William C. Barker,et al.  TECHNOLOGY ADMINISTRATION , 2004 .

[59]  Russ Housley,et al.  Using Advanced Encryption Standard (AES) Counter Mode With IPsec Encapsulating Security Payload (ESP) , 2004, RFC.

[60]  Paul E. Hoffman,et al.  The AES-XCBC-PRF-128 Algorithm for the Internet Key Exchange Protocol (IKE) , 2004, RFC.

[61]  Levon Esibov,et al.  Generic Security Service Algorithm for Secret Key Transaction Authentication for DNS (GSS-TSIG) , 2003, RFC.

[62]  Sheila Frankel,et al.  The AES-XCBC-MAC-96 Algorithm and Its Use With IPsec , 2003, RFC.

[63]  Sheila Frankel,et al.  The AES-CBC Cipher Algorithm and Its Use with IPsec , 2003, RFC.

[64]  Jakob Jonsson,et al.  Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1 , 2003, RFC.

[65]  C M Chernick Federal S/MIME V3 Client Profile , 2002 .

[66]  Russ Housley,et al.  Advanced Encryption Standard (AES) Key Wrap Algorithm , 2002, RFC.

[67]  Russ Housley,et al.  Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile , 2002, RFC.

[68]  Alfred Menezes,et al.  The Elliptic Curve Digital Signature Algorithm (ECDSA) , 2001, International Journal of Information Security.

[69]  D. Richard Kuhn,et al.  SP 800-32. Introduction to Public Key Technology and the Federal PKI Infrastructure , 2001 .

[70]  Jim Schaad,et al.  Certificate Management Messages over CMS , 2000, RFC.

[71]  P. Hoffman Enhanced Security Services for S/MIME , 1999, RFC.

[72]  Eric Rescorla,et al.  Diffie-Hellman Key Agreement Method , 1999, RFC.

[73]  Blake Ramsdell,et al.  S/MIME Version 3 Message Specification , 1999, RFC.

[74]  Carlisle M. Adams,et al.  X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP , 1999, RFC.

[75]  Christopher Allen,et al.  The TLS Protocol Version 1.0 , 1999, RFC.

[76]  Hugo Krawczyk,et al.  A Security Architecture for the Internet Protocol , 1999, IBM Syst. J..

[77]  Derrell Piper,et al.  The Internet IP Security Domain of Interpretation for ISAKMP , 1998, RFC.

[78]  Dan Harkins,et al.  The Internet Key Exchange (IKE) , 1998, RFC.

[79]  Stephen T. Kent,et al.  The NULL Encryption Algorithm and Its Use With IPsec , 1998, RFC.

[80]  Rob Adams,et al.  The ESP CBC-Mode Cipher Algorithms , 1998, RFC.

[81]  W. Douglas Maughan,et al.  Internet Security Association and Key Management Protocol (ISAKMP) , 1998, RFC.

[82]  Cheryl Madson,et al.  The Use of HMAC-SHA-1-96 within ESP and AH , 1998, RFC.

[83]  Cheryl Madson,et al.  The ESP DES-CBC Cipher Algorithm With Explicit IV , 1998, RFC.

[84]  Burton S. Kaliski,et al.  PKCS #7: Cryptographic Message Syntax Version 1.5 , 1998, RFC.

[85]  Scott O. Bradner,et al.  Key words for use in RFCs to Indicate Requirement Levels , 1997, RFC.

[86]  Nathaniel S. Borenstein,et al.  Multipurpose Internet Mail Extensions (MIME) Part One: Format of Internet Message Bodies , 1996, RFC.

[87]  Nathaniel S. Borenstein,et al.  Multipurpose Internet Mail Extensions (MIME) Part Five: Conformance Criteria and Examples , 1996, RFC.

[88]  Keith Moore MIME (Multipurpose Internet Mail Extensions) Part Three: Message Header Extensions for Non-ASCII Text , 1996, RFC.

[89]  Randall J. Atkinson,et al.  Security Architecture for the Internet Protocol , 1995, RFC.

[90]  Theodore Y. Ts'o,et al.  Kerberos: an authentication service for computer networks , 1994, IEEE Communications Magazine.

[91]  John T. Kohl,et al.  The Kerberos Network Authentication Service (V5 , 2004 .

[92]  Paul V. Mockapetris,et al.  Domain names - implementation and specification , 1987, RFC.

[93]  Paul V. Mockapetris,et al.  Domain names: Concepts and facilities , 1983, RFC.

[94]  Giovanni Maria Sacco,et al.  Timestamps in key distribution protocols , 1981, CACM.