Enforcing regular key changes
Ensure that keys are rotated at the end of their lifetime.
The National Institute of Standards and Technology (NIST) has developed guidelines for key management. Use them to define the correct key retention periods for your organization.
You can download the NIST Special Publication 800-57 from NIST: http://csrc.nist.gov/publications/PubsSPs.html#SP%20800
Based on the NIST guidelines, the recommended maximum key life is 120 days and maximum master key life is three years.
Define maximum key life
Follow these steps to define the maximum key life and the maximum master key life:
- In the user interface, click the Administration tab.
- Select System tab. from the navigation menu. Click the
- Scroll down to the Encryption section.
- In the Maximum key life (days) field, enter the number of days you defined in your organization.
Set maximum key life alerts
Safer Payments provides a Status Alarm Indicator (SAI) that alerts if the end of the maximum key life approaches. SAI alerts can be sent to the Safer Payments dashboard and can be distributed by email, or log messages.
- One for the encryption key, it must have the alarm type encryption key remaining lifetime.
- One for the master key, it must have the alarm type master key remaining lifetime.
- On the Safer Payments user interface, click the Administration tab.
- Select from the navigation menu.
- From the Status Alarm Indicators table, click the (New status alarm indicator) icon to create a new status alarm indicator.
Figure 2 shows an exemplary SAI definition for monitoring the last encryption key change.
This SAI assumes a maximum key life of 120 days. If the current key is valid for only 10 more days a warning is displayed on the dashboard, a mail is sent out, and a log message is created.