====== Gestione chiavi ======

Esempi compatti per la gestione chiavi. → **Dettagli:** [[..:schluessel:start|Scenari chiavi]]

----

===== Generare chiavi =====

<code csharp>
// ML-DSA (Firme)
using var mlDsa65 = MlDsaSigner.Create(MlDsaParameterSet.MlDsa65);
using var mlDsa87 = MlDsaSigner.Create(MlDsaParameterSet.MlDsa87);

// ML-KEM (Key Exchange)
using var mlKem768 = MlKem.Create(MlKemParameterSet.MlKem768);
using var mlKem1024 = MlKem.Create(MlKemParameterSet.MlKem1024);

// Classico (Hybrid)
using var ecdsa = ECDsa.Create(ECCurve.NamedCurves.nistP384);
using var rsa = RSA.Create(4096);
</code>

→ **Dettagli:** [[..:schluessel:generierung|Generazione]]

----

===== Archiviare chiavi =====

<code csharp>
// DPAPI (Windows)
byte[] privateKey = mlDsa.ExportPrivateKey();
byte[] encrypted = ProtectedData.Protect(privateKey,
    entropy: null, DataProtectionScope.CurrentUser);

// PEM con password
string pem = mlDsa.ExportEncryptedPkcs8PrivateKeyPem(
    "password"u8, new PbeParameters(
        PbeEncryptionAlgorithm.Aes256Cbc,
        HashAlgorithmName.SHA256, 100000));
</code>

→ **Dettagli:** [[..:schluessel:speicherung|Archiviazione]]

----

===== Ruotare chiavi =====

<code csharp>
var rotationService = new KeyRotationService(options =>
{
    options.RotationInterval = TimeSpan.FromDays(90);
    options.MaxKeyAge = TimeSpan.FromDays(365);
});

// Verificare se rotazione necessaria
if (rotationService.ShouldRotate(currentKey))
{
    var newKey = MlDsaSigner.Create(MlDsaParameterSet.MlDsa65);
    rotationService.Rotate(currentKey, newKey);
}
</code>

→ **Dettagli:** [[..:schluessel:rotation|Rotazione]]

----

===== Backup chiavi =====

<code csharp>
// Shamir Secret Sharing (3-of-5)
var shares = ShamirSecretSharing.Split(
    privateKey, totalShares: 5, threshold: 3);

// Distribuire ai fiduciari
foreach (var (index, share) in shares)
    SaveToTrustee(index, share);

// Ripristinare
var recoveredShares = new[] { shares[0], shares[2], shares[4] };
byte[] recovered = ShamirSecretSharing.Combine(recoveredShares);
</code>

→ **Dettagli:** [[..:schluessel:backup|Backup]]

----

===== Distruggere chiavi =====

<code csharp>
// Cancellazione sicura
CryptographicOperations.ZeroMemory(privateKeyBytes);

// Revocare certificato
var crlBuilder = new CertificateRevocationListBuilder();
crlBuilder.AddEntry(cert.SerialNumber,
    DateTimeOffset.UtcNow, X509RevocationReason.KeyCompromise);
</code>

→ **Dettagli:** [[..:schluessel:vernichtung|Distruzione]]

----

===== Raccomandazioni =====

^  Tipo chiave  ^  Algoritmo  ^  Validita  ^
| Root-CA | ML-DSA-87 | 20+ anni |
| Intermediate-CA | ML-DSA-65 | 5-10 anni |
| End-Entity | ML-DSA-65 / Hybrid | 1-2 anni |
| Effimera | ML-KEM-768 | Sessione |

----

<< [[.:start|← Riferimento rapido]] | [[..:schluessel:start|→ Scenari chiavi (Dettagli)]] >>

----
//Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional//

{{tag>kurzreferenz schluessel generierung rotation backup}}