Unique Master Key Encryptions for AES-256-GCM

Ensure using unique AES-256-GCM master key encryptions and prevent repeating encryptions.
The master key can only generate a finite number of unique encryptions before it runs out of unique combinations and must repeat encryptions. The firewall creates unique encryptions using the AES-256-GCM encryption algorithm with an Initialization Vector (IV). An IV is an arbitrary number that should only be used one time to create an encryption to ensure that each encryption is unique.
Each encryption using the master key and IV must be unique to prevent forgery attacks. The firewall meets the uniqueness requirement that the probability that the authenticated encryption is ever created with the same IV and the same key on two or more distinct sets of input data is no greater than 2
32
.
When the IV runs through all of its unique values, the IV value repeats. When the IV value repeats, using the same master key and the repeated IV value to encrypt data means that the encryption is the same as an encryption previously used on other data. Change the Master Key before the system runs out of unique encryptions to prevent the firewall from using the same encryption (master key and IV value combination) on more than one piece of sensitive data. Unique encryption combinations should never be repeated or reused.
To track when you need to change the master key, set the master key
Lifetime
and
Reminder
values on each appliance (
Device
Master Key and Diagnostics
and edit the master key). Set the values conservatively, based on the expected volume of master key encryptions, to ensure that all encryptions are unique and no encryption combinations are repeated or reused.

Recommended For You