Keys can be used in computerized systems for various purposes. An example is encryption of data communicated between computer devices and/or encryption of data stored in the system based on one or more keys. An encryption key can be seen as a piece of information that determines the functional output of a cryptographic algorithm or function, the key specifying the particular transformation between plain text and encrypt text. Without knowledge of the key the algorithm cannot produce any useful result. In addition to cryptography, other uses of keys are possible. These include use of keys for authentication and authorisation functions, digital signatures and so on. In general, keys are provided to enhance security, and hence are often called security keys. A user of keys can comprise a user of a terminal but can also be a computer system, for example an automated software application running in a computer device.
A particular example of keys are key pairs of asymmetric encryption systems. Asymmetric keys can comprise pairs of public and private keys. In these systems private and public key pairs are typically assigned for a user at an appropriate secure location. Private/public key systems are sometimes referred to as the Public Key Infrastructure (PKI). In operation, a user is assigned with a public key-private key pair. The public key can be distributed openly in the system whereas the private key is kept secret. Data encrypted based on the public key of the pair can only be decrypt by the private key, and vice versa.
Integrity of such system depends on maintaining the private keys secret. A typical arrangement is to protect the private key with a secret character string, e.g. a password or a passphrase known only to the user. The password or passphrase is communicated to the user via a secure and separate channel and the user needs to correctly input the string to activate the key. In case the user being a human being, a passphrase is typically selected and entered by the user. Original keys may also be generated by the user. In some application the passphrase is delivered to a user. The user may need to request separately for the key and/or the secret string such as the passphrase. User involvement can thus be needed to obtain a private key and/or a secret to activate a key. This can cause problems in especially in systems where automated replacement of keys is desired.
It is noted that the above discussed issues are not limited to any particular system and data processing apparatus but may occur in any system where replacement of keys may be needed.
Embodiments of the invention aim to address one or several of the above issues.