Sie befinden sich hier: start » en » Internal Documentation » WvdS Crypto Library » 6. Scenarios » Quick Reference » Key Management

Inhaltsverzeichnis

Key Management

Compact examples for key management. → Details: Key Scenarios

Generate Keys

// ML-DSA (Signatures)
using var mlDsa65 = MlDsaSigner.Create(MlDsaParameterSet.MlDsa65);
using var mlDsa87 = MlDsaSigner.Create(MlDsaParameterSet.MlDsa87);
 
// ML-KEM (Key Exchange)
using var mlKem768 = MlKem.Create(MlKemParameterSet.MlKem768);
using var mlKem1024 = MlKem.Create(MlKemParameterSet.MlKem1024);
 
// Classical (Hybrid)
using var ecdsa = ECDsa.Create(ECCurve.NamedCurves.nistP384);
using var rsa = RSA.Create(4096);

Details: Generation

Store Keys

// DPAPI (Windows)
byte[] privateKey = mlDsa.ExportPrivateKey();
byte[] encrypted = ProtectedData.Protect(privateKey,
    entropy: null, DataProtectionScope.CurrentUser);
 
// PEM with password
string pem = mlDsa.ExportEncryptedPkcs8PrivateKeyPem(
    "password"u8, new PbeParameters(
        PbeEncryptionAlgorithm.Aes256Cbc,
        HashAlgorithmName.SHA256, 100000));

Details: Storage

Rotate Keys

var rotationService = new KeyRotationService(options =>
{
    options.RotationInterval = TimeSpan.FromDays(90);
    options.MaxKeyAge = TimeSpan.FromDays(365);
});
 
// Check if rotation needed
if (rotationService.ShouldRotate(currentKey))
{
    var newKey = MlDsaSigner.Create(MlDsaParameterSet.MlDsa65);
    rotationService.Rotate(currentKey, newKey);
}

Details: Rotation

Key Backup

// Shamir Secret Sharing (3-of-5)
var shares = ShamirSecretSharing.Split(
    privateKey, totalShares: 5, threshold: 3);
 
// Distribute to trustees
foreach (var (index, share) in shares)
    SaveToTrustee(index, share);
 
// Recover
var recoveredShares = new[] { shares[0], shares[2], shares[4] };
byte[] recovered = ShamirSecretSharing.Combine(recoveredShares);

Details: Backup

Destroy Keys

// Secure deletion
CryptographicOperations.ZeroMemory(privateKeyBytes);
 
// Revoke certificate
var crlBuilder = new CertificateRevocationListBuilder();
crlBuilder.AddEntry(cert.SerialNumber,
    DateTimeOffset.UtcNow, X509RevocationReason.KeyCompromise);

Details: Destruction

Recommendations

Key Type Algorithm Validity
Root CA ML-DSA-87 20+ years
Intermediate CA ML-DSA-65 5-10 years
End-Entity ML-DSA-65 / Hybrid 1-2 years
Ephemeral ML-KEM-768 Session

« <- Quick Reference | -> Key Scenarios (Details) »

Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional

, , , ,
Zuletzt geändert: on 2026/01/29 at 11:39 PM

Seiten-Werkzeuge