Using a Key Past its Expiration Date

From Guidance Share

Jump to: navigation, search

Contents

Description

The use of a cryptographic key or password past its expiration date diminishes its safety significantly.


Applies To

Languages: All Platforms: All


Example

Impact

  • Authentication: The longer you keep a cryptographic key in service the more likely it is to be compromised. Once compromised a malicious user may use it to authenticate as the victim.


Vulnerabilities

  • Failure to expire keys


Countermeasures

  • Design: Adequate consideration should be put in to the user interface in order to notify users previous to the key’s expiration, to explain the importance of new key generation and to walk users through the process as painlessly as possible.
  • Implementation: Many platform provided cryptographic systems, such as DPAPI on Windows, provide automatic key expiration. If you are using a system that does not automatically expire keys then ensure a policy is in place, and adhered to, to expire keys.
  • Run time: Users must heed warnings and generate new keys and passwords when they expire.


Vulnerability Patterns


How Tos

Personal tools