Cryptography Reference
In-Depth Information
key management. Another relevant standard is ISO 11568 [3], which covers key
management in the important application area of retail banking, as does the influential
standard ANSI X9.24 [26]. Dent and Mitchell [55] provide a good overview of the
contents of most of these key management standards.
The best place for advice on key lengths is the web portal managed by
Giry [89]. We used the 2010 key length recommendations from the European project
ECRYPT II [66] in Table 10.1, which is one of the resources linked to by [89]. NIST
provide guidance on key derivation in NIST 800-108 [141] and on key derivation
from passwords in NIST 800-132 [143], as does PKCS#5 [115]. Key generation by
components is conducted using simple secret sharing schemes, a good introduction
to which can be found in Stinson [185]. Unique key per transaction schemes are
popular in the retail world and are described in banking standards. The Racal UKPT
scheme has been standardised in UKPA Standard 70 [193] and the Derived UKPT
scheme can be found in ANSI X9.24 [26].
We provided several references to key establishment mechanisms in Chapter 9,
including Boyd and Mathuria [40] and ISO/IEC 11770 [4]. The BB84 protocol
was first proposed by Bennett and Brassard [31], with an accessible description
of it provided in Singh [176]. Scientific American ran a story on quantum key
establishment by Stix [186]. There is quite a lot of misinformation around on the
usefulness and likely impact of quantum key establishment. We recommend the
practical analysis of Moses [126] and Paterson, Piper and Schack [152] as providing
interesting perspectives.
Hardware security modules are fundamental components of many key manage-
ment systems. One of the most influential standards in this area is FIPS 140-2 [79].
HSMs are also treated in the banking standards ISO11568 [3] and ISO 13491 [5].
Attridge [27] provides a brief introduction toHSMs and their role in cryptographic key
management. The zones of risk for key storage depicted in Figure 10.6 are based on
ISO 13491 [5]. Ferguson, Schneier and Kohno [75] include a chapter on key storage,
and Kenan [107] discusses key storage in the context of cryptographically protected
databases. Bond [38] describes fascinating attacks on HSMs that had achieved a
high level of FIPS 140 compliance. Dent and Mitchell [55] include a chapter on
cryptography APIs.
The key block that we described in Figure 10.8 is from ANSI X9 TR-31 [25]. NIST
has a special publication NIST 800-88 [137] relating to data deletion (sanitisation).
Finally, the key generation ceremony that we described is loosely based on the
ceremony described in [112].
1
. Provide some examples of attacks that can be conducted if assurance of
purpose of cryptographic keys is not provided as part of:
(a) a fully symmetric hierarchical key management system deployed in a
government department;
