Enforce regular key changes
This topic describes how to define regular key changes and how to set key life alerts.
The National Institute of Standards and Technology has developed recommendations for key management. Their guidelines assist you in defining the correct key retention periods for your organization.
You can download the NIST Special Publication 800-57 here: http://csrc.nist.gov/publications/PubsSPs.html#SP%20800
Based on this, we recommend a maximum key life of 120 days, and a maximum master key life of three years.
Define maximum key life
You can define the maximum key life and the maximum master key live as follows.
- On the Safer Payments user interface, click the Administration tab.
- Select System tab. from the left navigation pane. Click the
- Scroll down to the Encryption section.
- In the Maximum key life (days) field, enter the number of days you defined in your organization.
Set maximum key life alerts
Safer Payments provides a Status Alarm Indicator (SAI) that alerts if the end of the maximum key life approaches. SAI alerts can be sent to the Safer Payments dashboard and can be distributed by email, or log messages.
- One for the encryption key, it must have the alarm type encryption key remaining lifetime.
- One for the master key, it must have the alarm type master key remaining lifetime.
- On the Safer Payments user interface, click the Administration tab.
- Select from the left navigation pane.
- From the Status Alarm Indicators table, click the (New status alarm indicator) icon to create a new status alarm indicator.
Figure 2 shows an exemplary SAI definition for monitoring the last encryption key change.
This SAI assumes a maximum key life of 120 days. If the current key is valid for only 10 more days a warning is displayed on the dashboard, a mail is sent out, and a log message is created.