Cryptography Reference
In-Depth Information
Advice on key length changes over time
. It is wise to seek the latest and most
accurate information before deciding on key lengths. It is possible, for example,
that the advice in Table 10.1, and the key length comparisons in Table 5.2, may
no longer be accurate.
We now begin our discussion of the various phases in the key lifecycle. This
begins with key generation, which is the creation of cryptographic keys. This is a
critical phase of the key lifecycle. As we indicated at the start of Section 8.1, many
cryptosystems have been found to have weaknesses because they do not generate
their keys in a sufficiently secure manner.
Key generation processes for symmetric and public-key cryptography are
fundamentally different. We will first look at ways of generating a symmet-
ric key.
10.3.1
Direct key generation
Symmetric keys are just randomly generated numbers (normally bit strings). The
most obvious method for generating a cryptographic key is thus to randomly
generate a number, or more commonly a pseudorandom number. We have
already discussed random number generation in Section 8.1 and any of the
techniques discussed there are potentially appropriate for key generation. The
choice of technique will depend on the application. Obviously, the strength
of the technique used should take into consideration the importance of the
cryptographic key that is being generated. For example, use of a hardware-based
non-deterministic generator might be appropriate for a master key, whereas a
software-based non-deterministic generator based on mouse movements might
suffice for generating a local key to be used to store personal files on a home PC
(see Section 8.1.3).
The only further issue to note is that for certain cryptographic algorithms
there are sporadic choices of key that some people argue should not be used.
For example, as mentioned in Section 4.4.3, DES has some keys that are defined
to be
weak
. In the rare event that such keys are generated by a key generation
process, some guidance suggests that they should be rejected. Issues such as
this are algorithm-specific and the relevant standards should be consulted for
advice.
10.3.2
Key derivation
The term
key derivation
is sometimes used to describe the generation of
cryptographic keys from other cryptographic keys or secret values. Such 'key
