Browse Prior Art Database

Guidelines for Cryptographic Key Management (RFC4107)

IP.com Disclosure Number: IPCOM000125866D
Original Publication Date: 2005-Jun-01
Included in the Prior Art Database: 2005-Jun-18
Document File: 8 page(s) / 15K

Publishing Venue

Internet Society Requests For Comment (RFCs)

Related People

S. Bellovin: AUTHOR [+2]

Abstract

The question often arises of whether a given security system requires some form of automated key management, or whether manual keying is sufficient. This memo provides guidelines for making such decisions. When symmetric cryptographic mechanisms are used in a protocol, the presumption is that automated key management is generally but not always needed. If manual keying is proposed, the burden of proving that automated key management is not required falls to the proposer.

This text was extracted from an ASCII text file.
This is the abbreviated version, containing approximately 19% of the total text.

Network Working Group                                        S. Bellovin
Request for Comments: 4107                           Columbia University
BCP: 107                                                      R. Housley
Category: Best Current Practice                           Vigil Security
                                                               June 2005


              Guidelines for Cryptographic Key Management

Status of This Memo

   This document specifies an Internet Best Current Practices for the
   Internet Community, and requests discussion and suggestions for
   improvements.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2005).

Abstract

   The question often arises of whether a given security system requires
   some form of automated key management, or whether manual keying is
   sufficient.  This memo provides guidelines for making such decisions.
   When symmetric cryptographic mechanisms are used in a protocol, the
   presumption is that automated key management is generally but not
   always needed.  If manual keying is proposed, the burden of proving
   that automated key management is not required falls to the proposer.

1.  Introduction

   The question often arises of whether or not a given security system
   requires some form of automated key management, or whether manual
   keying is sufficient.

   There is not one answer to that question; circumstances differ.  In
   general, automated key management SHOULD be used.  Occasionally,
   relying on manual key management is reasonable; we propose some
   guidelines for making that judgment.

   On the other hand, relying on manual key management has significant
   disadvantages, and we outline the security concerns that justify the
   preference for automated key management.  However, there are
   situations in which manual key management is acceptable.

Bellovin & Housley       Best Current Practice                  [Page 1]
RFC 4107      Guidelines for Cryptographic Key Management      June 2005


1.1.  Terminology

   The keywords MUST, MUST NOT, REQUIRED, SHALL, SHALL NOT, SHOULD,
   SHOULD NOT, RECOMMENDED, MAY, and OPTIONAL, when they appear in this
   document, are to be interpreted as described in RFC 2119 [B].

2.  Guidelines

   These guidelines are for use by IETF working groups and protocol
   authors who are determining whether to mandate automated key
   management and whether manual key management is acceptable.  Informed
   judgment is needed.

   The term "key management" refers to the establishment of
   cryptographic keying material for use with a cryptographic algorithm
   to provide protocol...