Passcodes: Keys, Passphases, PIN and Passwords

🔓Unlock …

Passcodes refers to PINs, secret nonces, keys, passwords, passphases etc.

Key Usage Caveats

Key generation must come from a random source

Each key obtained from a reliable random source to ensure that the keys generated are independent from each other. If the key is to be generated from a software or PRNG, the PRNG must be a PRF acceptable by NIST.

Recommended:
- It is recommended to generate the keys from a certified RNG within a hardware tampered device such as a HSM or smartcard, etc.
- Run randomness test suites to assure high entropy of key generation.
Caveat: Strong keys are not easy to be produced. e.g. Though GPG has been around for almost 20 years, there are only ~50,000 keys in the “strong set, and less than 4 million keys have ever been published to the SKS keyserver pool. In perspective, the strong set makes up only ~ 1.25% of the published keys.

Ensure sufficient key length.

Refer to guidelines establishing rough equivalences between symmetric- and public-key key sizes.

* FIPS 200, Minimum Security Requirements for Federal Information and Information Systems requires “Federal agencies must meet the minimum security requirements as defined herein through the use of the security controls in accordance with NIST Special Publication 800–53, Recommended Security Controls for Federal Information Systems, as amended.”
* NIST Special Publication 800–53, Recommended Security Controls for Federal Information Systems, indicates that information systems which need to protect information using cryptography must “produce, control, and distribute symmetric cryptographic keys using [Selection: NIST-approved, NSA-approved] key management technology and processes” and references NIST Special Publication 800–57.
* Section 5.6 of NIST Special Publication 800–57 Part 1, Recommendation for Key Management contains Table 4 indicating the above deprecations I list.

Do not use the master root key directly, derived the key for specific use