Cryptography Reference
In-Depth Information
change procedures in preparation for an unplanned key change (the equivalent
of a 'fire drill'). In some organisations this is themost common planned change,
since their key lifetimes are very long.
Unplanned key changes
. These may occur for a variety of reasons. Indeed, many
of the reasons that we gave in Section 10.2.1 for having finite key lifetimes were
to mitigate against unplanned events. An unplanned key change may thus be
required if these unplanned events actually occur. For example:
• a key is compromised;
• a security vulnerability becomes apparent with the potential to lead to key
compromise (such as an operating system vulnerability, a breakthrough in
cryptanalysis, or a failure of a tamper-resistance mechanism in an HSM);
• an employee unexpectedly leaves an organisation.
Note that in some of these cases it may simply be enough to
withdraw
a key
(remove it from active use), rather than change it. However, care must be taken
beforemaking this type of decision. For example, when an employee unexpectedly
leaves an organisation on good terms then it may suffice to withdraw any personal
keys that they held, such as any symmetric keys shared only by the employee and
a central system, or any public-key pairs relating only to the employee. However,
the employee might also have held
group keys
that are shared by several members
of staff. It would be advisable to change these keys, since they are likely to remain
in use after the employee's departure.
IMPACT OF KEY CHANGE
Key change can be a very expensive process, depending on the importance of
the key being changed. An unplanned key change is particularly problematic,
especially in the event of a key compromise, since it raises questions about any
cryptographic operations that were conducted using the affected key, such as
the confidentiality of any encrypted data. One likely consequence is that it will
probably be necessary to also change any other keys encrypted using the affected
key, which in turn raises questions about any cryptographic operations conducted
using them.
The minimum impact of a key change is that a new key needs to be generated
and established. However, the impact can be severe, especially in the case of
high-level key compromise. For example, if a master key is compromised in
a financial system then the resulting costs might include costs of investigation
into the compromise, costs related to any 'rogue' transactions conducted using
compromised keys, damage to reputation and loss of customer confidence.
Recovery from unplanned key changes should be part of an organisation's wider
disaster recovery and business continuity processes.
One situation where the damage caused by a key compromise might be
limited is when the time of a cryptographic operation is logged and the time
of key compromise is known. For example, in the case of a signature key being
