IAKM-3

IAKM-3 Key Management

Overview

Symmetric and asymmetric keys are produced, controlled and distributed using NSA-approved key management technology and processes.

MAC / CONF	Impact	Subject Area
CLASSIFIED	Medium	Identification and Authentication

Details

Threat
Classified DoD information requires protection from unauthorized access, modification, or destruction. All symmetric keys used to encrypted data must be protected commensurate with the classification level of the information being protected. For Asymmetric keys the user or custodian must protect the private key commensurate with the classification level of the information being protected. The processes for creating and distributing keys used to encrypt transmit classified information and to authenticate users who are authorized access to classified information must be carried out using highly secure processes. The DoD Public Key Infrastructure can be utilized to encrypt data on Classified networks, Classified data transmitted across untrusted networks must be encrypted using. The security requirements for cryptographic key management encompass the entire lifecycle of cryptographic keys, cryptographic key components, and Cryptographic Service Providers employed by the cryptographic module. Key management includes random number and key generation, key establishment, key distribution, key entry/output, key storage, and key zeroization.

Threat

Classified DoD information requires protection from unauthorized access, modification, or destruction. All symmetric keys used to encrypted data must be protected commensurate with the classification level of the information being protected. For Asymmetric keys the user or custodian must protect the private key commensurate with the classification level of the information being protected. The processes for creating and distributing keys used to encrypt transmit classified information and to authenticate users who are authorized access to classified information must be carried out using highly secure processes. The DoD Public Key Infrastructure can be utilized to encrypt data on Classified networks, Classified data transmitted across untrusted networks must be encrypted using. The security requirements for cryptographic key management encompass the entire lifecycle of cryptographic keys, cryptographic key components, and Cryptographic Service Providers employed by the cryptographic module. Key management includes random number and key generation, key establishment, key distribution, key entry/output, key storage, and key zeroization.

Guidance
1. The PKI manages the registration, issuance and control of X.509 certificates for use by DoD personnel in the conduct of official business. An X.509 certificate binds an end entity (such as a subscriber, router, or automated message guard) to a key pair, certifying that the entity identified in the certificate has the private key associated with the public key incorporated into the certificate. 2. The key pairs are used by end entities to perform cryptographic operations: to digitally sign information, to ensure the identity of the signer and the integrity of the information, and to encrypt information to ensure confidentiality. The DoD PKI issues separate certificates and key pairs for identity authentication and integrity, and for confidentiality. 3. Secret keys, private keys, and Cryptographic Service Providers shall be protected within the cryptographic module from unauthorized disclosure, modification, and substitution. Public keys shall be protected within the cryptographic module against unauthorized modification and substitution. 4. SAs shall document and specify all cryptographic keys, cryptographic key components, and Cryptographic Service Providers employed by a cryptographic module. 5. All private key pairs that are used to assert non-repudiation and are tightly bound to an entities identity must be protected in accordance with classification level of the information being processed. 6. All users and custodians are responsible to protect and store all private keys. For the hardware token, users must promptly report lost or stolen tokens. For software private keys, users must store them in a tamper evident package locked in a safe.

Guidance

1. The PKI manages the registration, issuance and control of X.509 certificates for use by DoD personnel in the conduct of official business. An X.509 certificate binds an end entity (such as a subscriber, router, or automated message guard) to a key pair, certifying that the entity identified in the certificate has the private key associated with the public key incorporated into the certificate.
2. The key pairs are used by end entities to perform cryptographic operations: to digitally sign information, to ensure the identity of the signer and the integrity of the information, and to encrypt information to ensure confidentiality. The DoD PKI issues separate certificates and key pairs for identity authentication and integrity, and for confidentiality.
3. Secret keys, private keys, and Cryptographic Service Providers shall be protected within the cryptographic module from unauthorized disclosure, modification, and substitution. Public keys shall be protected within the cryptographic module against unauthorized modification and substitution.
4. SAs shall document and specify all cryptographic keys, cryptographic key components, and Cryptographic Service Providers employed by a cryptographic module.
5. All private key pairs that are used to assert non-repudiation and are tightly bound to an entities identity must be protected in accordance with classification level of the information being processed.
6. All users and custodians are responsible to protect and store all private keys. For the hardware token, users must promptly report lost or stolen tokens. For software private keys, users must store them in a tamper evident package locked in a safe.

References

DoDI 8520.2 “DoD Public Key Infrastructure (PKI) and Public Key (PK) Enabling, 01 April 2004)
X.509 Certificate Policy for the United States Department of Defense, Version 8, 11 December 2003)
CJSCM 6510.01, Change 1, Enclosure C, Appendix O, 10 August 2004
FIPS 140-2 Level 2, FIPS 140-2 Level 3