361 – Replace cryptographic keys

Summary

The system's cryptographic keys must be replaced after a defined period of time, after having produced a certain amount of cipher-text or after its integrity has been weakened, e.g., when an employee with knowledge of a key leaves or when it is believed to have been compromised.

Description

The system's cryptographic keys are essential for maintaining the confidentiality and integrity of transactions and communications. In order to mitigate their decreased effectiveness over time and any possible loss of their integrity, they should be replaced often.

Supported In

Advanced: True

References

• CWE-324. Use of a key past its expiration date
• OWASPM10-M5. Insufficient cryptography
• PADSS-2_5_4. Cryptographic key changes for keys
• PADSS-2_5_5. Retirement or replacement of keys
• HITRUST-10_g. Key management
• FEDRAMP-SC-13. Cryptographic protection
• ISO27002-8_24. Use of cryptography
• OWASPSCP-6. Cryptographic practices
• BSAFSS-EN_3-2. Software protects and validates encryption keys
• ASVS-1_6_3. Cryptographic architecture
• C2M2-9_5_e. Implement data security for cybersecurity architecture
• PCI-3_6_1_1. Protect cryptographic keys used to protect stored account data
• ISO27001-8_24. Use of cryptography
• RESOLSB-Art_26_11_h. Information Security
• RESOLSB-Art_27_13. Security in Electronic Channels
• OWASPMASVS-CRYPTO-2. The app performs key management according to industry best practices

Last updated

2024/01/18