Replace cryptographic keys
Summary
The system's cryptographic keys must be replaced after a defined period of time, after having produced a certain amount of cipher-text or after its integrity has been weakened, e.g., when an employee with knowledge of a key leaves or when it is believed to have been compromised.
Description
The system's cryptographic keys are essential for maintaining the confidentiality and integrity of transactions and communications. In order to mitigate their decreased effectiveness over time and any possible loss of their integrity, they should be replaced often.
References
- CWE-324. Use of a key past its expiration date
- OWASPM10-M5. Insufficient cryptography
- PADSS-2_5_4. Cryptographic key changes for keys
- PADSS-2_5_5. Retirement or replacement of keys
- HITRUST-10_g. Key management
- FEDRAMP-SC-13. Cryptographic protection
- ISO27002-8_24. Use of cryptography
- OWASPSCP-6. Cryptographic practices
- BSAFSS-EN_3-2. Software protects and validates encryption keys
- ASVS-1_6_3. Cryptographic architecture
- C2M2-9_5_e. Implement data security for cybersecurity architecture
- PCI-3_6_1_1. Protect cryptographic keys used to protect stored account data
- ISO27001-8_24. Use of cryptography
- RESOLSB-Art_26_11_h. Information Security
- RESOLSB-Art_27_13. Security in Electronic Channels
- OWASPMASVS-CRYPTO-2. The app performs key management according to industry best practices
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan.If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.
Supported In
This requirement is verified in following services
Essential Plan
Advanced Plan