Product Documentation

While regulations such as PCI DSS call for annual key rotation to ensure that the risk of any specific key becoming vulnerable due to prolonged use is mitigated, SAKA goes above and beyond such regulations. It supports four (4) key durations for data encryption keys to mitigate such risks. Sites may choose any duration at any time to meet their security needs. The four key-durations are:

  • Daily—A new AES symmetric encryption key is generated every day upon the first encryption request past the stroke of midnight in the SAKA's time-zone. All new encryption requests for that calendar day are serviced with the encryption-key-of-the-day. This is the most aggressive key-duration policy. A total of 365 keys are, thus, generated for a calendar year (366 in leap-years). However, if no new encryption requests are made in any given calendar day—perhaps due to holidays or other reasons—a symmetric key is not generated during that day. So, the number of encryption keys can range anywhere from zero (0) to 365/366 for any given year.

  • Weekly—A new AES symmetric encryption key is generated upon the first encryption request past the stroke of midnight on Sunday in the SAKA time zone. All new encryption requests for that calendar week are serviced with the encryption key of the week. A maximum of fifty-two (52) such keys are generated and used in a calendar year with this key duration policy.

  • Monthly—A new AES symmetric encryption key is generated upon the first encryption request past the stroke of midnight on the first of the calendar month in the SAKA time zone. All new encryption requests for that calendar month are serviced with the encryption key of the month. A maximum of twelve (12) such keys are generated and used in a calendar year with this key duration policy.

  • Annual—A new AES symmetric encryption key is generated upon the first encryption request past the stroke of midnight on the first of the calendar year in the SAKA time zone. All new encryption requests for that calendar year are serviced with the encryption key of the year. Just one single key is generated and used in a calendar year with this key duration policy.

 

Regardless of which key duration policy is chosen by a site, all data encryption keys are generated, encrypted, recovered and if the job is scheduled through the DACTool, rotated automatically by the system. No human intervention is required other than to specify the key duration policy to use and to set up rotation jobs.

Regardless of which key duration policy is chosen by a site, all data encryption keys must be rotated annually if the system must be compliant to PCI DSS. If no such regulation constrains your business use of this appliance, you can choose to rotate keys based on your own internal security policies. The DACTool has programmed modules to perform the key rotation automatically without the need to stop cryptographic services to applications. See the 12—KAM DACTool for more details on DACTool.

The default key-duration of HMAC and Password-HMAC keys is Annual. These keys are used internally by SAKA for verifying the integrity of data before and after cryptographic processing. They are not currently regulated by PCI DSS or any other regulation. Hence, their key duration policy is not as aggressive as the data encryption key duration policy.