NIST:生成安全密码密钥
NIST:生成安全密碼密鑰
https://ws680.nist.gov/publication/get_pdf.cfm?pub_id=913043
ITL BULLETIN FOR DECEMBER 2012
GENERATING SECURE CRYPTOGRAPHIC KEYS:
- 生成安全密碼密鑰
A CRITICAL COMPONENT OF CRYPTOGRAPHIC KEYMANAGEMENT AND THE PROTECTION OF SENSITIVE INFORMATION
Shirley Radack, Editor
Computer Security Division
Information Technology Laboratory
National Institute of Standards and Technology
U.S. Department of Commerce
Cryptography provides strong protection for information technology (IT) systems, applications, and information, especially when information is sensitive, has a high value, or is vulnerable to unauthorized disclosure or undetected modification during transmission or while in storage. Cryptographic methods can be used to maintain the confidentiality and integrity of information, verify that information was not changed after it was sent, and authenticate the originator of the information.
Cryptography relies upon two basic components: an algorithm (or cryptographic methodology) and a cryptographic key. The algorithm is a complex mathematical function for applying cryptographic protection (e.g.
, encrypting the data) and later reversing or verifying the process (e.g., decrypting the encrypted data), and the key is a parameter used by the function. Secure management of the cryptographic keys is critically important, since the security and reliability of cryptographic processes depend upon the strength of the keys, the effectiveness of the protocols associated with the keys, and the protection given to the keys.
加密技術為信息技術 (it) 系統、應用程序和信息提供了強大的保護, 尤其是當信息敏感、價值高或在信息傳輸及存儲期間容易受到未經授權的披露或未被發現的修改時。加密方法可用于維護信息的機密性和完整性, 驗證信息發送后沒有被更改, 并對信息的創建者進行身份驗證。
加密技術依賴于兩個基本組件: 算法 (或加密方法) 和加密密鑰。該算法是應用加密保護的一個復雜的數學函數 (例如: 加密數據), 然后反轉或驗證過程 (例如, 解密加密的數據), 該密鑰是函數使用的參數。加密密鑰的安全管理至關重要, 因為加密過程的安全性和可靠性取決于密鑰的強度、與密鑰相關的協議的有效性以及對密鑰的保護。
Federal Standards and Recommendations for the Secure Management of Cryptography
The Information Technology Laboratory of the National Institute of Standards and Technology (NIST) has developed Federal Information Processing Standards (FIPS) specifying cryptographic algorithms that are
approved for federal government use. In addition, NIST Special Publications (SPs) provide recommended practices that assist federal government organizations in applying cryptographic methods and in securely managing the cryptographic keys that are to be used with the approved cryptographic algorithms.
Another effort that helps organizations manage cryptographic keys effectively is the testing and validation of cryptographic modules, which contain the cryptographic algorithms and which are used in commercial
products and systems to provide security services. The testing and validation program established by NIST focuses on the validation of cryptographic modules and cryptographic algorithm implementations, accreditation of independent testing laboratories, and the development of test suitesfor the cryptographic algorithms. Many of these testing and validation activities are carried out in collaboration with industry and with other government organizations. See the For More Information section below for references to approved cryptographic algorithms, requirements for cryptographic modules, and the operation of the Cryptographic Module Validation Program (CMVP). In November, ITL issued a new guide, NIST Special Publication 800-133, Recommendation for Cryptographic Key Generation, to help federal government organizations generate the cryptographic keys that are to be used with the approved cryptographic algorithms. The publication provides general background information on the generation of cryptographic keys, how and where the keys are generated, and requirements for the generation of keys that provide the security strengths needed by organizations to protect their information.
-
加密技術安全管理的聯邦標準和建議
美國國家標準與技術研究所 (nist) 的信息技術實驗室開發了聯邦信息處理標準 (fips), 具體規定了經批準供聯邦政府使用的加密算法。此外, nist 特殊出版物 (sp) 還提供了建議的做法, 以協助聯邦政府組織應用加密方法和安全地管理將與批準的加密一起使用的加密密鑰算法。
幫助組織有效管理加密密鑰的另一項工作是測試和驗證加密模塊, 這些模塊包含加密算法, 并用于商業產品和系統中, 以提供安全服務.nist 建立的測試和驗證程序側重于加密模塊和加密算法實現的驗證、獨立測試實驗室的認證以及測試課程的開發。加密算法。其中許多測試和驗證活動是與工業界和其他政府組織合作進行的。 有關已批準的加密算法、加密模塊要求以及加密模塊驗證程序 (cmvp) 的操作的參考, 請參閱下面的 “詳細信息” 部分。 11月, ITL發布了一份新的指南, 即 nist 特別出版物 800-133:《加密密鑰生成建議》, 以幫助聯邦政府組織生成與被批準的加密算法一起使用的加密密鑰。該出版物提供了關于加密密鑰生成、密鑰生成方式和位置的一般背景信息, 以及密鑰生成要求,這些要求可提供組織保護其信息所需的安全強度。
NIST Special Publication 800-133, Recommendation for Cryptographic Key Generation
NIST SP 800-133, which was written by Elaine Barker and Allen Roginsky of NIST, discusses technical methods covering the generation of keys using the output of a random bit generator, the derivation of a key from another key, the derivation of a key from a password, and the key agreement process performed by two entities using an approved key-agreement scheme.
SP 800-133 recommends methods for the generation of key pairs for asymmetric algorithms and of keys for symmetric algorithms. Included in the publication are definitions, explanations of acronyms and symbols, and references to standards and to recommendations for the secure
implementation of cryptographic algorithms and the effective management of cryptographic keys.
Recommendation for Cryptographic Key Generation is available here.
-
nist 特別出版物 800-133, 關于加密密鑰生成的建議
nist sp 800-133, 由 nist 的 elaine barker 和 allen roginsky 編寫, 討論了使用隨機位生成器的輸出生成密鑰的技術方法, 從另一個密鑰派生一個鍵, 從密碼派生一個密鑰, 以及兩個實體使用已批準的密鑰協議方案執行的關鍵協議過程。
sp 800133 推薦了用于生成非對稱算法的密鑰對和用于對稱算法的密鑰的方法。該出版物包括定義、首字母縮寫詞和符號的解釋, 以及對標準和關于加密算法的安全實施和加密密鑰的有效管理的建議的參考。
有關加密密鑰生成的建議可在此處找到。
Cryptographic Algorithms and Keys
A cryptographic algorithm and a key are used to provide a number of cryptographic services, including encrypting data, generating a digital signature, decrypting encrypted data, and verifying a digital signature. Other cryptographic services include generating challenges, random numbers, and Message Authentication Codes (MACs).
In secret-key cryptography, two or more parties share the same key, which is used to encrypt and decrypt data. The key must be kept secret, and the parties who share a key rely upon each other not to disclose the key and to protect it against modification. Public key cryptography uses a pair of keys for each party: one is public and the other is private. The public key can be made known to other parties; the private key must be kept confidential and must be known only to its owner. Both keys, however, need to be protected against modification. Public key cryptography is used to generate and verify digital signatures to provide assurance to a receiver that a given message was sent by the claimed sender, or to establish symmetric keys between parties that do not share such keys for protecting sensitive information.
Keys may be established through techniques that are based on asymmetric or public key algorithms, or through techniques that are based on symmetric or secret key algorithms. Hybrid techniques are also commonly used in the key-generating process by applying public key techniques to establish symmetric or secret keys, which are then used to establish other symmetric or secret keys or to protect sensitive information.
-
加密算法和密鑰
加密算法和密鑰用于提供多種加密服務, 包括加密數據、生成數字簽名、解密加密數據和驗證數字簽名等。其他加密服務包括生成挑戰、隨機數和消息身份驗證代碼 (mac)。
在密鑰加密中, 兩個或多個參與方共享相同的密鑰, 用于對數據進行加密和解密。鑰匙必須保密, 共享鑰匙的當事人相互依靠對方不披露鑰匙, 保護鑰匙不被修改。 公鑰加密為每一方使用一對密鑰: 一個是公共密鑰, 另一個是私有密鑰。公鑰可以向其他各方公布;私鑰必須保密, 并且必須只向其所有者知曉。但是, 這兩個鍵都需要保護以防止修改。公鑰加密用于生成和驗證數字簽名, 以便向接收方保證給定的消息是由聲明的發送方發送的, 或者在不共享此類密鑰以保護敏感信息的各方之間建立對稱密鑰信息。
密鑰可以通過基于非對稱或公鑰算法的技術來建立, 也可以通過基于對稱或密鑰算法的技術來建立。混合技術也通常用于密鑰生成過程中, 方法是應用公鑰技術來建立對稱或密鑰, 然后用于建立其他對稱或密鑰或保護敏感信息。
Summary of NIST Recommendations for Cryptographic Key Generation
NIST SP 800-133 specifies the methods for the computation, establishment, and distribution of key pairs in accordance with existing standards and recommendations. See the online version of the publication for detailed information about implementing the recommendations for the generation of secure cryptographic keys.
Key generation techniques.
Keys can be generated through a variety of techniques: the generation of a key using the output of a random bit generator (RBG), the derivation of a key from another key, the derivation of a key from a password, and a key agreement performed by two entities using an approved key-agreement scheme. SP 800-133 specifies that federal organizations base the generation of their cryptographic keys directly or indirectly on the output of an approved random bit generator. Keys that are derived during a key-agreement transaction, derived from another key using a key derivation function, or derived from a password for storage applications are considered to be indirectly generated from an RBG, since the key used in the generation of another key or the random value used to generate a key-agreement key pair was obtained directly from the output of an approved RBG. Cryptographic keys needed by federal organizations are to be generated within tested and validated cryptographic modules. Random values required for key generation must be generated within the module that generates the key. The RBG should provide the security strengths that the implementing organization needs to protect its information. NIST publications that provide recommendations covering the techniques for the generation of keys using RBGs are included in the list of publications below.
Generation of key pairs for asymmetric algorithms.
Asymmetric-key algorithms, also known as public-key algorithms, require the use of asymmetric key pairs, consisting of a private key and a corresponding public key. The key to be used for each operation depends on the cryptographic process being performed; for example, digital-signature generation requires the use of a private key, while signature verification requires the use of the corresponding public key. Each public/private key pair is associated with only one entity; this entity is known as the key-pair owner. The public key may be known by anyone, but the private key must be known and used only by the key-pair owner. Key pairs are generated by either the key-pair owner or by a trusted party that will provide the key pair to the owner in a secure manner. The trusted party must be trusted by all parties that use the public key. One use of asymmetric keys is the generation of digital signatures. Digital signatures are generated on data to provide origin authentication, assurance of data integrity, or signatory non-repudiation. Digital signatures are generated by a signer using a private key, and verified by a receiver using a public key. Publications that include recommendations for the generation of key pairs for asymmetric applications are included in the reference section below.
-
關于加密密鑰生成的 nist 建議摘要
nist sp 800-133 根據現有標準和建議指定了密鑰對的計算、建立和分發方法。有關實現生成安全加密密鑰的建議的詳細信息, 請參閱出版物的聯機版本。
-
關鍵生成技術
密鑰可以通過多種技術生成: 使用隨機位生成器 (rbg) 的輸出生成密鑰, 從另一個密鑰派生密鑰, 從密碼派生密鑰, 以及由兩個實體使用批準執行的密鑰協議d 密鑰協議計劃。sp 800-133 指定聯邦組織直接或間接地根據批準的隨機位生成器的輸出生成其加密密鑰。在密鑰協議事務期間派生的密鑰、從使用密鑰派生函數的另一個鍵派生的密鑰, 或從存儲應用程序的密碼派生的密鑰被視為間接從 rbg 生成的, 因為在生成另一個鍵或用于生成密鑰協議密鑰對的隨機值直接從批準的 rbg 輸出中獲得。聯邦組織所需的加密密鑰將在經過測試和驗證的加密模塊中生成。密鑰生成所需的隨機值必須在生成密鑰的模塊中生成。成果預算制應提供執行組織保護其信息所需的安全優勢。nist 出版物提供了關于使用 rbg 生成密鑰的技術的建議, 這些出版物列于以下出版物列表中。
-
非對稱算法密鑰對的生成
非對稱密鑰算法, 也稱為公鑰算法, 需要使用非對稱密鑰對, 包括私鑰和相應的公鑰。要用于每個操作的密鑰取決于所執行的加密過程;例如, 數字簽名生成需要使用私鑰, 而簽名驗證需要使用相應的公鑰。 每個公鑰對只與一個實體關聯;此實體稱為密鑰對所有者。公鑰可能為任何人所知, 但私鑰必須僅由密鑰對所有者知道和使用。密鑰對是由密鑰對所有者或受信任方生成的, 將以安全的方式向所有者提供密鑰對。受信任的一方必須得到使用公鑰的所有各方的信任。非對稱密鑰的一種用途是生成數字簽名。在數據上生成數字簽名, 以提供原產地認證、數據完整性保證或簽名不可否認性。數字簽名由簽名者使用私鑰生成, 并由使用公鑰的接收方進行驗證。下面的參考部分包含有關為非對稱應用程序生成密鑰對的建議的出版物。
Generation of keys for symmetric key algorithms.
Symmetric-key algorithms use the same key to both apply cryptographic protection to information and to remove or verify the protection. Keys used with symmetric-key algorithms must be known only by the entities authorized to apply, remove, or verify the protection, and are commonly known as secret keys. A secret key is often known by multiple entities that may share or own the secret key, although it is not uncommon for a key to be generated, owned, and used by a single entity, such as for secure storage.
A secret key should be generated by one or more of the entities that will share the key, or a trusted party that provides the key to the intended sharing entities in a secure manner. The trusted party must be trusted by all entities that will share the key not to disclose the key to unauthorized parties or otherwise misuse the key.
Publications that include recommendations for the generation of keys for symmetric applications are included in the reference section below.
For More Information
The following publications are related to methods for the management of cryptography. For information about these NIST standards and guidelines, as well as other security-related publications, see here.
Federal Information Processing Standard (FIPS) 140-2, Security Requirements for Cryptographic Modules(The Implementation Guidance for FIPS PUB 140-2 and information about the Cryptographic Module Validation Program is available here.
-
對稱密鑰算法的密鑰生成
對稱密鑰算法使用相同的密鑰將提供信息加密保護以及刪除或驗證保護。與對稱密鑰算法一起使用的密鑰必須僅由授權應用、刪除或驗證保護的實體知道, 并且通常稱為秘密密鑰。秘密密鑰通常由可能共享或擁有秘密密鑰的多個實體所知道, 盡管由單個實體 (如安全存儲) 生成、擁有和使用密鑰的情況并不少見。
秘密密鑰應由一個或多個共享密鑰的實體生成, 或由以安全方式向預期共享實體提供密鑰的受信任方生成。將共享密鑰的所有實體都必須信任受信任方, 以免向未經授權的當事方披露密鑰或以其他方式濫用密鑰。
下面的參考部分中包含了有關為對稱應用程序生成密鑰的建議的發布。
有關詳細信息, 以下出版物與密碼學管理方法有關。有關這些 nist 標準和準則以及其他與安全有關的出版物的信息, 請參見此處。
聯邦信息處理標準 (fips) 140-2, 加密模塊的安全要求 (fips pub 140-2 的實施指南和有關加密模塊驗證程序的信息, 請參見此處
FIPS 180-4, Secure Hash Standard (SHS)
FIPS 186-3, Digital Signature Standard (DSS)
FIPS 197, Advanced Encryption Standard (AES)
FIPS 198-1, Keyed-Hash Message Authentication Code (HMAC)
Special Publication (SP) 800-38A, Recommendation for Block Cipher Modes of Operation - Methods and Techniques
SP 800-38B, Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication
SP 800-38F, Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping
SP 800-56A, Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography
SP 800-56B, Recommendation for Pair-Wise Key Establishment Using Integer Factorization Cryptography
SP 800-56C, Recommendation for Key Derivation through Extraction-then-Expansion,
SP 800-57, Part 1, Recommendation for Key Management: General (Revision 3)
SP 800-67, Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher
SP 800-90A, Recommendation for Random Number Generation Using Deterministic Random Bit Generators
SP 800-90B, Draft Recommendation for the Entropy Sources Used for Random Bit Generation
SP 800-90C, Draft Recommendation for Random Bit Generator (RBG) Constructions
SP 800-108, Recommendation for Key Derivation Using Pseudorandom Functions (Revised)
SP 800-131A, Recommendation for the Transitioning of Cryptographic Algorithms and Key Lengths
SP 800-132, Recommendation for Password-Based Key Derivation, Part 1: Storage Applications
SP 800-135, Recommendation for Existing Application-Specific Key Derivation Function Information about NIST’s information security programs is available from the Computer Security Resource Center here.
ITL Bulletin Publisher:
Elizabeth Lennon, Writer/Editor
Information Technology Laboratory
National Institute of Standards and Technology
Email elizabeth.lennon@nist.gov
Disclaimer
Any mention of commercial products or reference to commercial organizations is for information only; it does not imply recommendation or endorsement by NIST nor does it imply that the products mentioned
are necessarily the best available for the purpose.
fips 180-4, 安全哈希標準 (shs)
fips 186-3, 數字簽名標準 (dss)
fips 197, 高級加密標準 (aes)
fips 198-1, 鍵擊消息身份驗證代碼 (hmac)
特別出版物 (sp) 800-38A, 關于塊密碼操作模式的建議-方法和技術
sp 800-38B, 關于塊密碼操作模式的建議: cmac 身份驗證模式
sp 800-38F, 關于塊密碼操作模式的建議: 密鑰包裝方法 sp 800-56A, 使用離散對數密碼學建立 pair-wise 密鑰建立方案的建議
sp 800-56B, 關于使用整數分解密碼學建立對明智的密鑰的建議
sp 800-56C, 通過拉伸當時擴展進行密鑰派生的建議, sp 800-57, 第1部分, 關鍵管理建議: 一般 (修訂版 3)
sp 800-67, 關于三重數據加密算法 (tdea) 塊密碼 sp 800-90A 的建議, 關于使用確定性隨機比特生成器生成隨機數的建議
sp 800-90B, 用于隨機位生成的熵源的建議草案 sp 800-90B, 隨機位生成器 (rbg) 構造的建議草案
sp 800-108, 關于使用偽隨機函數進行密鑰派生的建議 (修訂) sp 8–131a, 關于密碼算法和關鍵長度轉換的建議
sp 800-132, 關于基于密碼的密鑰派生的建議, 第1部分: 存儲應用程序
sp 800-135, 關于現有應用程序特定密鑰派生函數的建議有關 nist 的信息安全程序的信息, 可在這里的計算機安全資源中心獲得。
ITL發布者:
elizabeth lennon, 作家/編輯
信息技術實驗室
美國國家標準與技術研究所
電郵 elizabeth.lennon@nist.gov
總結
以上是生活随笔為你收集整理的NIST:生成安全密码密钥的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: 数学图形之莫比乌斯带(mobius)
- 下一篇: 自由定制pe小知识