National Institute of Science and Technology releases draft guidelines for High-Performance Computing (HPC) Security Overlap and recommendations for Key Management

July 12, 2025 |

The National Institute of Science and Technology (“NIST”) has publisheda guideline on High-Performance Computing (HPC) Security Overlay,

Recommendation for Key Management, Part 3: Application-Specific Key Management Guidance and

The announcement about the HPC provides:

High-performance computing (HPC) systems provide fundamental computing infrastructure for large-scale artificial intelligence (AI) and machine learning (ML) model training, big data analysis, and complex simulations at exceptional speeds. Securing HPC systems is essential for safeguarding AI models, protecting sensitive data, and realizing the full benefits of HPC capabilities.

This NIST Special Publication introduces an HPC security overlay that is designed to address the unique characteristics and requirements of HPC systems. Built upon the moderate baseline defined in SP 800-53B, the overlay tailors 60 security controls with supplemental guidance and/or discussions to enhance their applicability in HPC contexts. This overlay aims to provide practical, performance-conscious security guidance that can be readily adopted. For many organizations, it offers a robust foundation for securing HPC environments while also allowing for further customization to meet specific operational or mission needs.

The recommendations for best practices for key management organisations, part 2 provides:

NIST Special Publication (SP) 800-57 provides cryptographic key management guidance. It consists of three parts. Part 1 provides general guidance and best practices for the management of cryptographic keying material. Part 2 provides guidance on policy and security planning requirements. Finally, Part 3 provides guidance when using the cryptographic features of current systems. Part 2 (this document) 1) identifies the concepts, functions and elements common to effective systems for the management of symmetric and asymmetric keys; 2) identifies the security planning requirements and documentation necessary for effective institutional key management; 3) describes Key Management Specification requirements; 4) describes cryptographic Key Management Policy documentation that is needed by organizations that use cryptography; and 5) describes Key Management Practice Statement requirements. Appendices provide examples of some key management infrastructures and supplemental documentation and planning materials.

The recommendations for Key Management part 3;  Application-Specific Key Management Guidance provides:

IST Special Publication 800-57 provides cryptographic key management guidance. It consists of three parts. Part 1 provides general guidance and best practices for the management of cryptographic keying material. Part 2 provides guidance on policy and security planning requirements for U.S. government agencies. Finally, Part 3 provides guidance when using the cryptographic features of current systems.

The highlights about the HPC provide:

  • High-performance computing (HPC) systems provide fundamental computing infrastructure and play a pivotal role in economic competitiveness and scientific discovery.  It has the capacity to train large-scale AI models, analyze big data, and rapidly conduct complex simulations.
  • An HPC system is divided into four function zones:
    • Access Zone,
    • Management Zone,
    • High-Performance Computing Zone, and
    • Data Storage Each zone
  • different zones within the system face different threats, providing an opportunity to create customized guidance for each Implementing fine-grained controls can effectively address security needs without compromising system performance.

Interesting points recommendations for best practices for key management organisations, part 2 provides:

  • A cryptographic mechanism relies upon two basic components:
    • an algorithm (or cryptographic methodology) and
    • a variable cryptographic key.

The algorithm and key are used together to apply cryptographic protection to data (e.g., to encrypt the data or to generate a digital signature) and to remove or check the protection (e.g., to decrypt the encrypted data or to verify a digital signature). 

  • Two types of cryptographic algorithms in common use are:
    • symmetric key algorithms.  Symmetric key algorithms use a single key to both apply cryptographic protection and to remove or check the protection. With symmetric key algorithms, the single key must be kept secret from everyone and everything not specifically authorised to access the information being protected. Symmetric key cryptography is most often used to protect the confidentiality of information or to authenticate the integrity of that information. ; and
    • asymmetric key algorithms.  Asymmetric key algorithms (often called public key algorithms) use a pair of keys (i.e., a key pair): a public key and a private key that are mathematically related to each other.  In asymmetric key cryptography, only one key in the key pair, the private key, must be kept secret; the other key can be made public. Asymmetric key cryptography is commonly used to protect the integrity and authenticity of information and to establish symmetric keys
  • Given differences in the nature of symmetric and asymmetric key cryptography and of the requirements of different security applications of cryptography, specific key management requirements and methods necessarily vary from application to application.
  • users and systems need to have assurance that the key is authentic, that it belongs to the entity with whom or which it is asserted to be associated, and that it has not been accessed by an unauthorized third party
  • Cryptographic key management systems (CKMS) are composed of individual components and are used to carry out sets of key management functions or services.
  • Key management services include the generation, destruction, revocation, distribution, and recovery of keys. Some CKMS services (e.g., certificate authority (CA)) may be provided by a third party under contract or Service Level Agreement
  • Key establishment is the process that results in the sharing of a key between two or more entities. This process could be by a manual distribution, by using automated key-transport or key- agreement mechanisms, or by key derivation using an already-shared key between or among those entities. A decision must be made about the length of each key’s cryptoperiod.
  • key management functions need to be addressed in a Key Management Policy include:  Roles and responsibilities that need to be defined for the management of :
    • The generation or acquisition of key information (i.e., keying material and the associated metadata);
    • The secure distribution of private keys, secret keys and the associated metadata;
    • The establishment of cryptoperiods;
    • Key and/or certificate inventory management, including procedures for the routine supersession of keys and certificates at the end of a cryptoperiod or validity period;
    • Procedures for the emergency revocation of compromised keys and the establishment (e.g., distribution) of replacement keys and/or certificates
    • Accounting for and the storage and recovery of the operational and backed-up copies of key information
    • The storage and recovery of archived key information;
    • Procedures for checking the integrity of stored key information before using it; and
  • “cryptographic key management system” (CKMS):
    • refers to the framework and services that provide for the generation, establishment, control, accounting, and destruction of cryptographic keys and associated management information.
    • it includes all elements (hardware, software, other equipment, and documentation); facilities; personnel; procedures; standards; and information products that form the system that establishes, manages, and supports cryptographic products and services for end entities.
    • a CKMS may handle symmetric keys, asymmetric keys or both.

  • Key management policies, practice statements, and specifications should identify common CKMS elements and suggest functions of and relationships among the organizational elements responsible for the management and use of cryptographic keys. The complexity of  infrastructure and the allocation of roles within it will depend on

    • the cryptographic algorithms employed,

    • the operational and communications relationships among the organizational elements being served,

    • the purposes for which cryptography is employed, and

    • the number and complexity of cryptographic keying relationships required by an organization

  • Key-processing facilities provide one or more of the following services:
    • Generation and/or distribution of key information;
    • Acquisition or generation of public-key certificates (where applicable
    • Backup, archiving, and inventories of key information
    • Maintenance of a database that maps entities to an organization’s certificate or key structure;
    • Maintenance and distribution of revoked key or certificate reports ; and
    • Generation of audit requests and the processing of audit responses as necessary for the detection of previously undetected compromises and the analysis of compromise events as needed to support recovery from compromises
  • Client nodes provide interfaces to end entities for the establishment of keying material, for the generation of requests for keying material, for the receipt and forwarding (as appropriate) of revoked key notifications (RKNs), for the receipt of audit requests, and for the delivery of audit responses
  • Symmetric key cryptography requires the originator and all intended consumers of specific information secured by a symmetric-key algorithm to share a secret key. This is in contrast to asymmetric-key (public key) algorithm that requires only one party participating in a transaction to know a private key and permits the other party or parties to know the corresponding public key. Symmetric-key algorithms are generally much more computationally efficient than public key algorithms, so a symmetric-key algorithm is most commonly used to protect larger volumes of information such as the confidentiality of data in transit and in storage
  • Regardless of the key-management structure, any CKMS design should describe how it provides cryptographic keys to the entities that will use those keys to protect sensitive information. The CKMS design documentation should specify the use of each key type, where and how keys can be generated, how they can be protected in storage and during delivery, and the types of entities to whom they can be delivered
  • it is important to avoid using a key from an unauthenticated source,to protect all keys and key components in transit, and to protect stored keys for as long as any information protected under those keys requires protection. Cryptographic confidentiality and integrity mechanisms are most commonly used to establish trust anchors that enforce trust policies and practices
  • A key may also be suspended from use for a variety of reasons, such as an unknown status of the key or due to the key owner being temporarily unavailable (e.g., the key owner is on extended leave). In the case of a certificate suspension, the intent is to suspend the use of the public key included in the certificate

  • The following information should be included in the key management planning documentation:

    • The types of key management products and services
    • The quantity of key management products required for the services to be provided (e.g., the number of keys to be issued per device, application or process to be keyed);
    • The algorithm(s) employed for each key management product used and service provided by a device, application or process;
    • The key information format(s) (reference existing specifications, if applicable);
    • The cryptoperiods to be enforced (may be a general recommendation or a recommendation specific to a service, key type, device, application, process or organization);
    • PKI certificate classes (as applicable);
    • Tokens or software modules to be used (as applicable);
    • Dates when keying material is needed (plans for the distribution of the initial keys and the frequency of replacement of the keys);
    • Provision for review or revision of replacement plans when the circumstances underlying replacement frequency change;
    • The projected duration of the need (for devices, applications, processes or organizations);42 and
    • The title or identity of the anticipated keying material manager (as applicable).
  • it is imperative to maintain a record of all long-term keys in use. That means:
    • establishing and maintaining records of the keys and/or certificates in use;
    • assigning and tracking their owners or sponsors;
    • monitoring key and certificate status, and
    • reporting the status to the appropriate official for remedial action, when required
  • A Key Management Specification is the document that describes the key management products that may be required to operate a cryptographic device or application.
  • Key Management Specification also describes key-management components that are provided by a cryptographic device. 

5.1.4

  •  

 

 

 

Leave a Reply