Skip to main content

Posts

Showing posts from July, 2017

It's an older code..

(let's assume we're talking about encryption keys here rather than pass codes though it really makes little difference... and note that your passwords are a slightly different concern) Is it incompetence to use an old code? No. For synchronous requests (e.g. like those over HTTPS) there's a handshake process you go through every few minutes to agree a new key. Client and server then continue to use this key until it expires then they agree a new one. If the underlying certificate changes you simply go through the handshake again. For asynchronous requests things aren't as easy. You could encrypt and queue a request one minute and change the key the next but the message remains on the queue for another hour before it gets processed. In these cases you can either reject the message (usually unacceptable) or try the older key and accept that for a while longer. Equally with persistent storage you could change the key every month but you can't go round decrypting and re