Symmetric encryption algorithms use a single key to both encrypt and decrypt data. To reduce the chance for a cryptoanalytic attack the amount of data encrypted with a particular key should be limited. However, since the key must be kept available during the life of the encrypted data so that the encrypted data can be decrypted at a later time, the key cannot be changed too often or the number of keys to safely keep becomes large.
Most published key change policies are vague as to when a key should be changed. Some define a fixed time schedule for key change (i.e., daily, monthly). Others rely on the system administrator to change the key at intervals left to his discretion. All such techniques leave the encrypted data open to attack by the system administrator.
All practical encryption algorithms are considered to be breakable depending on the time and encrypted data available, crypto-system usable and plain-text selectable by the attacker. An attacker can use a number of different attacks to decrypt the data. For example, a brute-force attack tests all possible keys in order to recover the plain-text used to produce a particular encrypted text. This kind of attack is especially successful if the number of possible keys is small.
In a cipher text attack, the attacker is assumed to have access to the encrypted data. The attacker can then analyze this data to determine the key. The more data available to the attacker, the easier it is to determine the key.
In a plain-text attack, the attacker has access to at least portions of the plain-text and its encrypted version. Knowledge about the structure and format of the plain-text and knowledge about the patterns that appear in the encrypted version are sufficient to eventually determine the key. In a chosen plain-text attack, the attacker deliberately defines the structure, format and content of the plain-text to analyze any patterns that appear in the encrypted version.
Encrypted data is especially vulnerable to attack from a system administrator or security person. This person is typically responsible for changing the key at certain times but also has access to the plain-text, the encrypted text, the type of encryption algorithm, and encryption system. Even without knowing the actual key value, the system administrator can determine the key with just this information, given enough time.
There is thus a trade-off between changing the key often enough to preempt an attack while not too often that a large number of keys are generated and have to be managed. For these reasons and for other reasons that will become apparent to those skilled in the art upon reading and understanding the present specification, there is a need in the art for a way to automatically change encryption keys.