Question:

Why should you periodically change the key used to encrypt messages? What attack is more likely to succeed if a key has been used frequently? How frequently should the key be changed?

Response:

While breaking modern day encryption keys (e.g. – AES-256, RSA-1024, RSA-2048, RSA-4096) is improbable it is not impossible.  Many enterprise-class encryption systems leverage key management systems so that encryption key rotation can be accomplished without the massive burden of having to maintain and track the key pairs manually.  One such solution is keyAutority from Thales.  Key management systems are often used for encrypting data-at-rest on disk and tape.  As we learned in chapter two of the text, the initial exchange of keys is subject to a man-in-the-middle attack, but more importantly, it’s if a single key pair is used, the lack of a key rotation policy could and has created serious exposure.  In a word where developers are moving at an unprecedented pace, and cloud computing is providing easy access to infrastructure for developers, we are seeing all sorts of human error which is creating severe pain for many organization.  Most notably developers are publishing keys to GitHub and hackers are now crawling GitHub looking for AWS keys (the code to perform the crawling has even been published to GitHub).  AWS is a giant honeypot sitting on the internet and human error like publishing AWS keys to GitHub is a huge risk, a key management strategy is really important to ensuring that if a key gets into the wild you can minimize the potential impact.

The governance of how often an encryption key should be changed really depends on what the encryption key is used for.  IMO the complexity of key management and the value of the assets being protected need to be taken into consideration before deciding on a key management strategy.  Additionally, compliance with regulatory agencies needs to be considered when developing a key management strategy, compliance with regulations like and SEC 17a-4 and HIPPA are likely to seriously influence key management policies.

References

6 Jan 2015 at 13:02, Darren Pauli tweet_btn(). (n.d.). Dev put AWS keys on Github. Then BAD THINGS happened. Retrieved March 08, 2017, from https://www.theregister.co.uk/2015/01/06/dev_blunder_shows_github_crawling_with_keyslurping_bots/

Burton, H. (2017, January 10). TruffleHog: Hacker publishes secret key spotter to Github. Retrieved March 8, 2017, from http://www.theinquirer.net/inquirer/news/3002198/trufflehog-hacker-publishes-secret-key-spotted-to-github

Mimoso, M. (2014, June 19). Hacker Puts Hosting Service Code Spaces Out of Business. Retrieved March 08, 2017, from https://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/106761/

Pal, K. (2015, July 15). 10 Best Practices for Encryption Key Management and Data Security. Retrieved March 08, 2017, from https://www.techopedia.com/2/30767/security/10-best-practices-for-encryption-key-management-and-data-security

Pfleeger, C. P., Pfleeger, S. L., & Margulies, J. (2015). Security in computing (5th ed.). Upper Saddle River: Prentice Hall.

Townsend, P. (n.d.). HIPAA/HITECH Act – Encryption and Key Management Requirements. Retrieved March 08, 2017, from https://info.townsendsecurity.com/bid/38671/HIPAA-HITECH-Act-Encryption-and-Key-Management-Requirements