Data encrypting systems are arrangements of hardware and software that perform encryption and decryption operations using cryptographic keys. During an encryption operation, data referred to as “plaintext” is encrypted using a cryptographic algorithm (also known as a “cipher”) embodied in program logic and/or hardware logic to generate “ciphertext” that can only be accessed if it is properly decrypted through a corresponding decryption operation. Data encryption and decryption operations typically use pseudo-random cryptographic keys as parameters that determine their output. In a data encryption operation, the key used specifies how plaintext is transformed into ciphertext. The reverse is true during a decryption operation; the key used specifies how previously encrypted ciphertext is transformed back into plaintext. Cryptographic keys are also used to specify transformations in other cryptographic operations, such as the generation of digital signatures and/or authentication codes.
In symmetric-key cryptography, the same cryptographic key is used for both encryption and decryption. Accordingly, in a symmetric-key system the encrypting entity and the decrypting entity must both have possession of the same key.
In asymmetric cryptography, also known as “public-key” cryptography, each individual entity is assigned a unique key pair that includes a public key and a private key. Plaintext that is encrypted using a given private key can only be decrypted using the public key from the key pair to which the private key belongs, and plaintext that is encrypted using a given public key can only be decrypted using the private key to which the public key belongs. The public key of a key pair may be disseminated widely, but the private key must be maintained in secret by the entity to which the key pair is assigned. Recipients of the public key can use it to encrypt plaintext, and the resulting ciphertext can only be decrypted by the entity to which the key pair was assigned, using the private key of the key pair. The entity to which a key pair is assigned can also use the private key of the key pair to generate digital signatures for messages that can be used by holders of the public key of the key pair to ensure that the contents of each message have not been modified since the digital signature was generated by the entity to which the key pair was assigned.
The lifecycle of a cryptographic key begins when the key is generated, which is typically accomplished using a cryptographically secure random bit generator. The newly generated key, along with a number of associated attributes, is then stored into at least one key storage database referred to as a “key store”. The key and the rest of the contents of the key store may be encrypted using what is referred to as a “master” key. Attributes corresponding to and stored with individual keys may include key name, activation date, and key length. Different key lengths provide different key strengths, with longer keys generally providing better protection against attacks. Different cryptographic algorithms may use different lengths of keys. A key may be activated when it is initially generated or activated automatically or manually at a later time.
Once a key is activated, it may be changed as a result of certain events occurring. In a process referred to as “key rollover”, a previously established time schedule determines when an individual key is to be replaced, according to a specific expiration date or crypto-period associated with the key. In another example, a key may be caused to be replaced if it is suspected of being compromised. In another example, an encryption policy may be changed in a way that causes a key related to the policy to be replaced, e.g. in the case where a new or updated security policy requires that a longer and therefore higher strength key by used when performing subsequent encryption operations covered under the policy.