Unique Master Key Encryption with AES-256-GCM
Learn about using the AES-256-GCM encryption algorithm to generate unique master key
encryptions and how to prevent encryption reuse.
The master key can only generate a finite number of unique encryptions before it runs out
of unique combinations and must repeat encryptions. The firewall creates unique
encryptions using the AES-256-GCM encryption algorithm with an Initialization Vector
(IV). An IV is an arbitrary number that should only be used one time to create an
encryption to ensure that each encryption is unique.
Each encryption using the master key and IV must be unique to prevent forgery attacks.
The firewall meets the uniqueness requirement that the probability that the
authenticated encryption is ever created with the same IV and the same key on two or
more distinct sets of input data is no greater than 232.
When the IV runs through all of its unique values, the IV value repeats. When the IV
value repeats, using the same master key and the repeated IV value to encrypt data means
that the encryption is the same as an encryption previously used on other data.
Change the Master Key before the system runs
out of unique encryptions to prevent the firewall from using the same encryption (master
key and IV value combination) on more than one piece of sensitive data. Unique
encryption combinations should never be repeated or reused.
To track when you need to change the master key, set the master key
Lifetime and Reminder values on each
appliance ( and edit the master key). Set the values conservatively, based on the
expected volume of master key encryptions, to ensure that all encryptions are unique and
no encryption combinations are repeated or reused.