Summary

The system's cryptographic keys must be replaced after a defined period of time, after having produced a certain amount of cipher-text or after its integrity has been weakened, e.g., when an employee with knowledge of a key leaves or when it is believed to have been compromised.

Description

The system's cryptographic keys are essential for maintaining the confidentiality and integrity of transactions and communications. In order to mitigate their decreased effectiveness over time and any possible loss of their integrity, they should be replaced often.

Supported In

This requirement is verified in following services

References

• CWE™-324. Use of a key past its expiration date
• OWASP-M TOP 10-M5. Insufficient cryptography
• PA-DSS-2_5_4. Cryptographic key changes for keys
• PA-DSS-2_5_5. Retirement or replacement of keys
• HITRUST CSF-10_g. Key management
• FedRAMP-SC-13. Cryptographic protection
• ISO/IEC 27002-8_24. Use of cryptography
• OWASP SCP-6. Cryptographic practices
• BSAFSS-EN_3-2. Software protects and validates encryption keys
• OWASP ASVS-1_6_3. Cryptographic architecture
• C2M2-9_5_e. Implement data security for cybersecurity architecture
• PCI DSS-3_6_1_1. Protect cryptographic keys used to protect stored account data
• ISO/IEC 27001-8_24. Use of cryptography
• Resolution SB 2021 2126-Art_26_11_h. Information Security
• Resolution SB 2021 2126-Art_27_13. Security in Electronic Channels
• OWASP MASVS-CRYPTO-2. The app performs key management according to industry best practices

Vulnerabilities

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.