Should you rotate keys?
Some standards require you to periodically rotate your keys, or to decrypt encrypted data with the old key and then reencrypt it with a new key. The current version of the PCI DSS, requires this, for example. At the IEEE Key Management Summit last week, there was some discussion of whether or not rotating keys even makes sense these days.
Those arguing that rotating keys is unnecessary claimed that the desire to rotate keys is essentially a holdover from the days when the only standardized encryption algorithm was DES. DES has a fairly weak key – only 56 bits of key are actually used in the DES encryption algorithm. This means that defeating DES is feasible for an attacker with a relatively modest budget. In 1999, for example, the EFF built the DES Cracker, a special-purpose computer that can recover any DES key in just a few days of computation, for only $250,000. Against adversaries able to do this, rotating keys frequently may make sense.
On the other hand, a 128-bit AES key is much more secure than a 56-bit DES key. It’s probably infeasible for even the richest national governments to build a special-purpose computer that can recover a 128-bit AES key in anything less than millions of years. For all practical purposes, adversaries can’t beat AES.
If you periodically rotate your AES keys, there is a chance of some sort of problem happening every time that you decrypt and reencrypt your data. Maybe the hardware module that you use to do the encryption will fail. Maybe some sort of catastrophic error will occur in your key management system and you’ll end up cryptographically shredding your data instead of protecting it. The chances of this happening may be small, but they’re probably much greater than the chances of an adversary beating AES. This means that rotating AES keys may actually cause a greater exposure to risk than not rotating them does.
But just because an adversary can’t beat AES doesn’t mean that they can’t beat the key management system that creates and manages AES keys. So it might be the case that a more reasonable comparison is between an adversary’s ability to beat a key management system and the chances of the same key management system causing a severe problem due to an unexpected failure of some sort. In this case, it’s not clear which alternative offers the lowest risk. Key management technology and the products that implement it are still relatively new, so it may take a while to get enough data to say much about which alternative is really better. Until then, it’s probably still a good idea to rotate keys regularly.