Tokenization Product Security Guidelines (2015) by the PCI Security Standards Council https://www.pcisecuritystandards.org/documents/Tokenization_Product_Security_Guidelines.pdf
Why Key Management is So Critical in the... (2015) by Michelle Larson http://web.townsendsecurity.com/bid/73912/Why-Key-Management-is-So-Critical-in-the
Key Management Life Cycle (no author listed) http://www.worldclassprogramme.com/Key-Management-Life-Cycle.php
The Key Management Lifecycle (2008) by Ben Tomhave http://www.secureconsulting.net/2008/03/the_key_management_lifecycle_1.html
Initial consideration of key parameters and life-cycle phases
There are many factors to consider when determining the life-cycle of a key. With so many types of keys available (public, private, authentication, authorization, signature, verification, etc.), there are many questions on how a key can be properly generated, distributed, stored, replaced, deleted, and recovered during its life-time, and provide adequate protection against threats. Other questions come up as to how long the life-cycle of the key should be (which can range anywhere from just a few minutes to one or more years), and the amount of strength needed to withstand attacks. And there are other questions like: Who shall take care of the generation, usage, replacement, and other phases of the life-cycle?
Determination of the key’s operational life-time and key strength
Once a key is generated, the key-management system should control the sequence of states that a key progresses over its life-cycle, and allow an authorized administrator to handle them when necessary. The encryption key life cycle is defined by the National Institute of Standards and Technology (NIST), and has also defined some standards on how a crypto-period be defined for each key. A crypto period is the operational life of a key, and is determined by a number of factors based on:
From this information, the operational life of the key can be determined, along with the key length and algorithm needed to obtain sufficient cryptographic strength. The algorithm should be based on cryptographic routines are used that are tested and proven, and are based on published standards. These algorithms are then used by the key-management system to handle scheduled processes.
The occasional need to change a key state based on unexpected circumstances
There are instances when it is necessary for an authorized administrator to make changes to the key's parameters which cause a change in its state during a life-cycle. (Some of these can still be automatically taken care of through the key-management system.)