Customer Service:
Mon - Fri: 8:30 am - 6 pm EST

Key Management

Key management software engineering standards are published by ISO and IEC. They include the ISO/IEC 11770 series, which covers framework, symmetric techniques, asymmetric techniques, weak secrets, and group key management.

ISO/IEC 11770-1:2010

Information technology - Security techniques - Key management - Part 1: Framework

ISO/IEC 11770-1:2010 defines a general model of key management that is independent of the use of any particular cryptographic algorithm. However, certain key distribution mechanisms can depend on particular algorithm properties, for example, properties of asymmetric algorithms. ISO/IEC 11770-1:2010 contains the material required for a basic understanding of subsequent parts. Examples of the use of key management mechanisms are included in ISO 11568. If non-repudiation is required for key management, ISO/IEC 13888 is applicable. ISO/IEC 11770-1:2010 addresses both the automated and manual aspects of key management, including outlines of data elements and sequences of operations that are used to obtain key management services. However it does not specify details of protocol exchanges that might be needed. As with other security services, key management can only be provided within the context of a defined security policy. The definition of security policies is outside the scope of ISO/IEC 11770. The fundamental problem is to establish keying material whose origin, integrity, timeliness and (in the case of secret keys) confidentiality can be guaranteed to both direct and indirect users. Key management includes functions such as the generation, storage, distribution, deletion and archiving of keying material in accordance with a security policy (ISO 7498-2). ISO/IEC 11770-1:2010 has a special relationship to the security frameworks for open systems (ISO/IEC 10181). All the frameworks, including this one, identify the basic concepts and characteristics of mechanisms covering different aspects of security.

Available in Packages Available for Subscriptions

ISO/IEC 11770-2:2018

IT Security techniques - Key management - Part 2: Mechanisms using symmetric techniques

This document defines key establishment mechanisms using symmetric cryptographic techniques. This document addresses three environments for the establishment of keys: Point-to-Point, Key Distribution Centre (KDC), and Key Translation Centre (KTC). It describes the required content of messages which carry keying material or are necessary to set up the conditions under which the keying material can be established. This document does not indicate other information which can be contained in the messages or specify other messages such as error messages. The explicit format of messages is not within the scope of this document. This document does not specify the means to be used to establish initial secret keys; that is, all the mechanisms specified in this document require an entity to share a secret key with at least one other entity (e.g. a TTP). For general guidance on the key lifecycle, see ISO/IEC 11770-1. This document does not explicitly address the issue of inter-domain key management. This document also does not define the implementation of key management mechanisms; products complying with this document are not necessarily compatible.

Available in Packages Available for Subscriptions

ISO/IEC 11770-2/Cor1:2009

Information technology - Security techniques - Key management - Part 2: Mechanisms using symmetric techniques - Corrigendum 1

Available for Subscriptions

ISO/IEC 11770-3:2021

Information security - Key management - Part 3: Mechanisms using asymmetric techniques

This document defines key management mechanisms based on asymmetric cryptographic techniques. It specifically addresses the use of asymmetric techniques to achieve the following goals. a) Establish a shared secret key for use in a symmetric cryptographic technique between two entities A and B by key agreement. In a secret key agreement mechanism, the secret key is computed as the result of a data exchange between the two entities A and B . Neither of them is able to predetermine the value of the shared secret key. b) Establish a shared secret key for use in a symmetric cryptographic technique between two entities A and B via key transport. In a secret key transport mechanism, the secret key is chosen by one entity A and is transferred to another entity B , suitably protected by asymmetric techniques. c) Make an entity's public key available to other entities via key transport. In a public key transport mechanism, the public key of entity A is transferred to other entities in an authenticated way, but not requiring secrecy. Some of the mechanisms of this document are based on the corresponding authentication mechanisms in ISO/IEC 9798 3. This document does not cover certain aspects of key management, such as: — key lifecycle management; — mechanisms to generate or validate asymmetric key pairs; and — mechanisms to store, archive, delete, destroy, etc., keys. While this document does not explicitly cover the distribution of an entity's private key (of an asymmetric key pair) from a trusted third party to a requesting entity, the key transport mechanisms described can be used to achieve this. A private key can in all cases be distributed with these mechanisms where an existing, non-compromised key already exists. However, in practice the distribution of private keys is usually a manual process that relies on technological means such as smart cards, etc. This document does not specify the transformations used in the key management mechanisms. NOTE To provide origin authentication for key management messages, it is possible to make provisions for authenticity within the key establishment protocol or to use a public key signature system to sign the key exchange messages.

Available in Packages Available for Subscriptions

ISO/IEC 11770-4:2017

Information technology - Security techniques - Key management - Part 4: Mechanisms based on weak secrets

ISO/IEC 11770-4:2017 defines key establishment mechanisms based on weak secrets, i.e. secrets that can be readily memorized by a human, and hence, secrets that will be chosen from a relatively small set of possibilities. It specifies cryptographic techniques specifically designed to establish one or more secret keys based on a weak secret derived from a memorized password, while preventing offline brute-force attacks associated with the weak secret. ISO/IEC 11770-4:2017 is not applicable to the following aspects of key management: - life-cycle management of weak secrets, strong secrets, and established secret keys; - mechanisms to store, archive, delete, destroy, etc. weak secrets, strong secrets, and established secret keys.

Available in Packages Available for Subscriptions

ISO/IEC 11770-5:2020

Information security - Key management - Part 5: Group key management

This document specifies mechanisms to establish shared symmetric keys between groups of entities. It defines: symmetric key-based key establishment mechanisms for multiple entities with a key distribution centre (KDC); and symmetric key establishment mechanisms based on a general tree-based logical key structure with both individual rekeying and batch rekeying. It also defines key establishment mechanisms based on a key chain with group forward secrecy, group backward secrecy or both group forward and backward secrecy. This document also describes the required content of messages which carry keying material or are necessary to set up the conditions under which the keying material can be established. This document does not specify information that has no relation with key establishment mechanisms, nor does it specify other messages such as error messages. The explicit format of messages is not within the scope of this document. This document does not specify the means to be used to establish the initial secret keys required to be shared between each entity and the KDC, nor key lifecycle management. This document also does not explicitly address the issue of interdomain key management.

Available for Subscriptions
ANSI Logo

As the voice of the U.S. standards and conformity assessment system, the American National Standards Institute (ANSI) empowers its members and constituents to strengthen the U.S. marketplace position in the global economy while helping to assure the safety and health of consumers and the protection of the environment.

Useful Links
CUSTOMER SERVICE
NEW YORK OFFICE
ANSI HEADQUARTERS
2024 © American National Standards Institute (ANSI) All Rights Reserved.