9-7.3 Key Management

Key management is the generation, recording, transcription, distribution, installation, storage, changing, disposition, and control of cryptographic keys. Key management must be rigorous and disciplined because attacks against encryption keys are far more likely to occur and succeed than attacks against encryption algorithms.

9-7.3.1 Protecting Encryption Keys

Encryption keys must be treated as sensitive-enhanced information and access to those keys must be restricted on a need to know basis. The following principles apply to the protection and access of encryption keys:

  1. If keying material is generated and stored, the information resource must provide secure key storage that is resistant to compromise through a logical or physical attack.
  2. If hardware-based key generation and storage is used, the key must be stored in such a way that it cannot be retrieved in clear text.

9-7.3.2 Recommended Key Management Practices

The best way to mitigate the risk of keys being attacked is to store them in hardware on a secure physical device. Postal Service information resources should adhere to key management procedures and practices that include, but are not limited to, the following:

  1. Generate strong keys that meet the Postal Service minimum encryption standards (See 9-7.1.1, Minimum Encryption Standards).
  2. Key management should be fully automated and not require manual steps.
  3. Generate and store all keys in hardware.
  4. Never remove keys from the hardware and never store them in the host’s memory.
  5. Gain access to the hardware only through a trusted path.

9-7.3.3 Key Management Requirements

Information resources must comply with key management requirements including, but not limited to, the following:

  1. If the information resource supports key recovery, then access to the key must be restricted to authorized personnel.
  2. The information resource must have the capability to enforce the immediate revocation of user accounts and the associated key(s).
  3. Encryption keys must not appear in clear text outside a cryptographic device.
  4. Split knowledge keys must be implemented.
  5. Dual control of keys must be established.
  6. Secure key distribution and storage must be implemented.
  7. Unauthorized substitution of keys must be prevented.
  8. Keys must be changed periodically, as defined below:
    1. Every year for PCI in-scope applications.
    2. Every 2 years for non-PCI in-scope applications.
    3. Every 3 years for USPS Certificate Authority (CA) Online Subordinate tier Server(s), every 5 years for Offline Policy tier CA server(s), and every 10 years for offline Root tier CA server(s).
    4. Whenever anyone with knowledge of a portion of a key that is NOT stored in a Hardware Security Module (HSM) changes positions, transfers, or for any reason leaves the employ of the Postal Service (e.g., resigns, retires, terminates).
  9. Known or suspected compromised keys must be replaced.
  10. Old or invalid keys must be revoked.
  11. Old keys must be archived and destroyed as applicable.
  12. Key custodians must sign a form stating they understand and accept their key-custodian responsibilities.
  13. Keys must not be sent in the same email as the encrypted file.