The system's cryptographic keys must be replaced after a defined period of time, after having produced a certain amount of cipher-text or after its integrity has been weakened, e.g., when an employee with knowledge of a key leaves or when it is believed to have been compromised.
The system's cryptographic keys are essential for maintaining the confidentiality and integrity of transactions and communications. In order to mitigate their decreased effectiveness over time and any possible loss of their integrity, they should be replaced often.
This requirement is verified in following services
- CWE™-324. Use of a key past its expiration date
- OWASP-M TOP 10-M5. Insufficient cryptography
- PA-DSS-2_5_4. Cryptographic key changes for keys
- PA-DSS-2_5_5. Retirement or replacement of keys
- HITRUST CSF-10_g. Key management
- FedRAMP-SC-13. Cryptographic protection
- ISO/IEC 27002-8_24. Use of cryptography
- OWASP SCP-6. Cryptographic practices
- BSAFSS-EN_3-2. Software protects and validates encryption keys
- OWASP ASVS-1_6_3. Cryptographic architecture
- C2M2-9_5_e. Implement data security for cybersecurity architecture
- PCI DSS-3_6_1_1. Protect cryptographic keys used to protect stored account data
- ISO/IEC 27001-8_24. Use of cryptography
- Resolution SB 2021 2126-Art_26_11_h. Information Security
- Resolution SB 2021 2126-Art_27_13. Security in Electronic Channels
Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.