====== Schlüsselmanagement ======

Kompakte Beispiele für Schlüsselmanagement. → **Details:** [[de:int:pqcrypt:szenarien:schluessel:start|Schlüssel-Szenarien]]

----

===== Schlüssel generieren =====

<code csharp>
// ML-DSA (Signaturen)
using var mlDsa65 = MlDsaSigner.Create(MlDsaParameterSet.MlDsa65);
using var mlDsa87 = MlDsaSigner.Create(MlDsaParameterSet.MlDsa87);

// ML-KEM (Key Exchange)
using var mlKem768 = MlKem.Create(MlKemParameterSet.MlKem768);
using var mlKem1024 = MlKem.Create(MlKemParameterSet.MlKem1024);

// Klassisch (Hybrid)
using var ecdsa = ECDsa.Create(ECCurve.NamedCurves.nistP384);
using var rsa = RSA.Create(4096);
</code>

→ **Details:** [[de:int:pqcrypt:szenarien:schluessel:generierung|Generierung]]

----

===== Schlüssel speichern =====

<code csharp>
// DPAPI (Windows)
byte[] privateKey = mlDsa.ExportPrivateKey();
byte[] encrypted = ProtectedData.Protect(privateKey,
    entropy: null, DataProtectionScope.CurrentUser);

// PEM mit Passwort
string pem = mlDsa.ExportEncryptedPkcs8PrivateKeyPem(
    "passwort"u8, new PbeParameters(
        PbeEncryptionAlgorithm.Aes256Cbc,
        HashAlgorithmName.SHA256, 100000));
</code>

→ **Details:** [[de:int:pqcrypt:szenarien:schluessel:speicherung|Speicherung]]

----

===== Schlüssel rotieren =====

<code csharp>
var rotationService = new KeyRotationService(options =>
{
    options.RotationInterval = TimeSpan.FromDays(90);
    options.MaxKeyAge = TimeSpan.FromDays(365);
});

// Prüfen ob Rotation nötig
if (rotationService.ShouldRotate(currentKey))
{
    var newKey = MlDsaSigner.Create(MlDsaParameterSet.MlDsa65);
    rotationService.Rotate(currentKey, newKey);
}
</code>

→ **Details:** [[de:int:pqcrypt:szenarien:schluessel:rotation|Rotation]]

----

===== Schlüssel-Backup =====

<code csharp>
// Shamir Secret Sharing (3-of-5)
var shares = ShamirSecretSharing.Split(
    privateKey, totalShares: 5, threshold: 3);

// Verteilen an Treuhänder
foreach (var (index, share) in shares)
    SaveToTrustee(index, share);

// Wiederherstellen
var recoveredShares = new[] { shares[0], shares[2], shares[4] };
byte[] recovered = ShamirSecretSharing.Combine(recoveredShares);
</code>

→ **Details:** [[de:int:pqcrypt:szenarien:schluessel:backup|Backup]]

----

===== Schlüssel vernichten =====

<code csharp>
// Sicheres Löschen
CryptographicOperations.ZeroMemory(privateKeyBytes);

// Zertifikat widerrufen
var crlBuilder = new CertificateRevocationListBuilder();
crlBuilder.AddEntry(cert.SerialNumber,
    DateTimeOffset.UtcNow, X509RevocationReason.KeyCompromise);
</code>

→ **Details:** [[de:int:pqcrypt:szenarien:schluessel:vernichtung|Vernichtung]]

----

===== Empfehlungen =====

^  Schlüsseltyp  ^  Algorithmus  ^  Gültigkeit  ^
| Root-CA | ML-DSA-87 | 20+ Jahre |
| Intermediate-CA | ML-DSA-65 | 5-10 Jahre |
| End-Entity | ML-DSA-65 / Hybrid | 1-2 Jahre |
| Ephemer | ML-KEM-768 | Session |

----

<< [[.:start|← Kurzreferenz]] | [[de:int:pqcrypt:szenarien:schluessel:start|→ Schlüssel-Szenarien (Details)]] >>

----
//Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional//

{{tag>kurzreferenz schluessel generierung rotation backup}}