====== Upravljanje ključevima ======
Kompaktni primjeri za upravljanje ključevima. → **Detalji:** [[..:schluessel:start|Scenariji ključeva]]
----
===== Generiranje ključeva =====
// ML-DSA (potpisi)
using var mlDsa65 = MlDsaSigner.Create(MlDsaParameterSet.MlDsa65);
using var mlDsa87 = MlDsaSigner.Create(MlDsaParameterSet.MlDsa87);
// ML-KEM (razmjena ključeva)
using var mlKem768 = MlKem.Create(MlKemParameterSet.MlKem768);
using var mlKem1024 = MlKem.Create(MlKemParameterSet.MlKem1024);
// Klasično (Hybrid)
using var ecdsa = ECDsa.Create(ECCurve.NamedCurves.nistP384);
using var rsa = RSA.Create(4096);
→ **Detalji:** [[..:schluessel:generierung|Generiranje]]
----
===== Pohrana ključeva =====
// DPAPI (Windows)
byte[] privateKey = mlDsa.ExportPrivateKey();
byte[] encrypted = ProtectedData.Protect(privateKey,
entropy: null, DataProtectionScope.CurrentUser);
// PEM s lozinkom
string pem = mlDsa.ExportEncryptedPkcs8PrivateKeyPem(
"lozinka"u8, new PbeParameters(
PbeEncryptionAlgorithm.Aes256Cbc,
HashAlgorithmName.SHA256, 100000));
→ **Detalji:** [[..:schluessel:speicherung|Pohrana]]
----
===== Rotacija ključeva =====
var rotationService = new KeyRotationService(options =>
{
options.RotationInterval = TimeSpan.FromDays(90);
options.MaxKeyAge = TimeSpan.FromDays(365);
});
// Provjera je li rotacija potrebna
if (rotationService.ShouldRotate(currentKey))
{
var newKey = MlDsaSigner.Create(MlDsaParameterSet.MlDsa65);
rotationService.Rotate(currentKey, newKey);
}
→ **Detalji:** [[..:schluessel:rotation|Rotacija]]
----
===== Backup ključeva =====
// Shamir Secret Sharing (3-of-5)
var shares = ShamirSecretSharing.Split(
privateKey, totalShares: 5, threshold: 3);
// Distribucija povjerenicima
foreach (var (index, share) in shares)
SaveToTrustee(index, share);
// Oporavak
var recoveredShares = new[] { shares[0], shares[2], shares[4] };
byte[] recovered = ShamirSecretSharing.Combine(recoveredShares);
→ **Detalji:** [[..:schluessel:backup|Backup]]
----
===== Uništavanje ključeva =====
// Sigurno brisanje
CryptographicOperations.ZeroMemory(privateKeyBytes);
// Opoziv certifikata
var crlBuilder = new CertificateRevocationListBuilder();
crlBuilder.AddEntry(cert.SerialNumber,
DateTimeOffset.UtcNow, X509RevocationReason.KeyCompromise);
→ **Detalji:** [[..:schluessel:vernichtung|Uništavanje]]
----
===== Preporuke =====
^ Tip ključa ^ Algoritam ^ Valjanost ^
| Root-CA | ML-DSA-87 | 20+ godina |
| Intermediate-CA | ML-DSA-65 | 5-10 godina |
| End-Entity | ML-DSA-65 / Hybrid | 1-2 godine |
| Efemerni | ML-KEM-768 | Sesija |
----
<< [[.:start|← Kratka referenca]] | [[..:schluessel:start|→ Scenariji ključeva (Detalji)]] >>
----
//Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional//
{{tag>kurzreferenz schluessel generierung rotation backup}}