T7.4.2 - KEY MANAGEMENT Implementation Guidance
The entity shall establish key management to support the entity’s use of cryptographic techniques.
Back to T7.4.2 - P2 - KEY MANAGEMENT
All cryptographic keys should be protected against modification, loss, and destruction. In addition, secret and private keys need protection against unauthorized disclosure. Equipment used to generate, store and archive keys should be physically protected.
A key management system should be based on an agreed set of standards, procedures, and secure methods for:
- A. Generating keys for different cryptographic systems and different applications
- B. Generating and obtaining public key certificates
- C. Distributing keys to intended users, including how keys should be activated when received
- D. Storing keys, including how authorized users obtain access to keys
- E. Changing or updating keys including rules on when keys should be changed and how this will be done
- F. Dealing with compromised keys
- G. Revoking keys including how keys should be withdrawn or deactivated, e.g. when keys have been compromised or when a user leaves an entity (in which case keys should also be archived)
- H. Recovering keys that are lost or corrupted as part of business continuity management, e.g. for recovery of encrypted information
- I. Archiving keys, e.g. for information archived or backed up
- J. Destroying keys
- K. Logging and auditing of key management related activities
In order to reduce the likelihood of compromise, activation, and deactivation dates for keys should be defined so that the keys can only be used for a limited period of time. This period of time should be dependent on the circumstances under which the cryptographic control is being used, and the perceived risk.
In addition to securely managing secret and private keys, the authenticity of public keys should also be considered. This authentication process can be done using public key certificates which are normally issued by a certification authority, which should be a recognized entity with suitable controls and procedures in place to provide the required degree of trust.
The contents of service level agreements or contracts with external suppliers of cryptographic services, e.g. with a certification authority, should cover issues of liability, reliability of services and response times for the provision of services.
Back to T7.4.2 - P2 - KEY MANAGEMENT
