Manualshelf

FIPS Standard

ManualsBrandsIntel ManualsOtherIntel Dual Band Wireless-N 7260
31323334353637383940
4.7.2 Key Generation
A cryptographic module may generate cryptographic keys internally. Cryptographic keys generated by the
cryptographic module for use by an Approved algorithm or security function shall be generated using an
Approved key generation method. Approved key generation methods are listed in Annex C to this
standard. If an Approved key generation method requires input from a RNG, then an Approved RNG that
meets the requirements specified in Section 4.7.1 shall be used.
Compromising the security of the key generation method (e.g., guessing the seed value to initialize the
deterministic RNG) shall require as least as many operations as determining the value of the generated key.
If a seed key is entered during the key generation process, entry of the key shall meet the key entry
requirements specified in Section 4.7.4. If intermediate key generation values are output from the
cryptographic module, the values shall be output either 1) in encrypted form or 2) under split knowledge
procedures.
Documentation shall specify each of the key generation methods (Approved and non-Approved) employed
by a cryptographic module.
4.7.3 Key Establishment
Key establishment may be performed by automated methods (e.g., use of a public key algorithm), manual
methods (use of a manually-transported key loading device), or a combination of automated and manual
methods. If key establishment methods are employed by a cryptographic module, only Approved key
establishment methods shall be used. Approved key establishment methods are listed in Annex D to this
standard.
If, in lieu of an Approved key establishment method, a radio communications cryptographic module
implements Over-The-Air-Rekeying (OTAR), it shall be implemented as specified in the TIA/EIA
Telecommunications Systems Bulletin, APCO Project 25, Over-The-Air-Rekeying (OTAR) Protocol, New
Technology Standards Project, Digital Radio Technical Standards, TSB102.AACA, January, 1996,
Telecommunications Industry Association.
Compromising the security of the key establishment method (e.g., compromising the security of the
algorithm used for key establishment) shall require at least as many operations as determining the value of
the cryptographic key being transported or agreed upon.
If a key transport method is used, the cryptographic key being transported shall meet the key entry/output
requirements of Section 4.7.4. If a key agreement method is used (e.g., a cryptographic key is derived from
shared intermediate values), the shared values are not required to meet the key entry/output requirements of
Section 4.7.4.
Documentation shall specify the key establishment methods employed by a cryptographic module.
4.7.4 Key Entry and Output
Cryptographic keys may be entered into or output from a cryptographic module. If cryptographic keys are
entered into or output from a cryptographic module, the entry or output of keys shall be performed using
either manual (e.g., via a keyboard) or electronic methods (e.g., smart cards/tokens, PC cards, or other
electronic key loading devices).
A seed key, if entered during key generation, shall be entered in the same manner as cryptographic keys.
31