본문으로 건너뛰기

Part 3: Cryptographic Key Lifecycle Policy

ItemContent
Document NamePart 3: Cryptographic Key Lifecycle Policy
Product NameDTA Wide Sleep Management Platform
Date2026-06-17
ScopePart 3 (Backend/Infrastructure)
Related ArticlesBSI TR-03161 O.Arch_3 (P.3-010), O.Cryp_4
Reference StandardsBSI TR-02102-1, BSI TR-02102-2, NIST SP 800-57 Part 1/2

1. Purpose and Scope

This document defines the lifecycle policy for all cryptographic key material used by the DTA Wide backend system. The policy covers the random number source, key segregation of duties, key/certificate expiration, and integrity assurance through hashing, and is based on the recognized standards BSI TR-02102 and NIST SP 800-57.

The key lifecycle is managed in six stages: Generation → Storage → Usage → Rotation → Backup → Destruction.


2. Key / Secret Catalogue

2.1 Backend Keys

Key IDPurposeAlgorithmKey Length / Bit StrengthStorage LocationRotation
CONSENT_HMAC_KEYConsent tamper-protection HMAC signingHMAC-SHA256256-bit (min 32B)GCP Secret Manager → Cloud Run env injectionAnnual (manual) + immediate on compromise
AUTH_OAUTH_FBETA_EID_CLIENT_SECRETfbeta eID OAuth2 client authenticationBearer secretmin 32B randomGCP Secret Manager → Cloud Run env injectionAnnual + fbeta policy
EID_FBETA_JWKS_URLfbeta IdP JWKS endpoint (URL)n/an/aGCP Secret ManagerOn change (after fbeta notice)
JWT_SIGNING_KEYBackend access/refresh token signingHS256 or RS256256-bit / 2048-bitGCP Secret ManagerInfrastructure policy

2.2 Client (Mobile) Keys

Key IDPurposeAlgorithmKey LengthStorage LocationRotation
Native 2FA device keyECC Challenge-Response signingECDSA P-256256-bit (prime256v1)iOS Secure Enclave / Android Keystore (non-exportable)On user reenroll
AppCheck attestation keyiOS App Attest / Play IntegrityiOS: P-256 / Android: key-based attestation256-bit (iOS) / system-determined (Android)iOS Secure Enclave / Android KeystoreOS policy
Email OTP codeOne-time email verification coderandom6-digit / 30-min TTLNot stored on mobile — backend Redis cache onlyn/a

2.3 Public Keys Received/Stored by Backend

Key IDPurposeAlgorithmStorage FormatStorage LocationRotation
UserDeviceAuthentication.publicKeySpkiNative 2FA verificationECC P-256 SPKI DER (base64url)DB columnprivate.user_device_authentications.public_key_spkiOn user reenroll/change
fbeta JWKS public keysid_token signature verificationRS256 / ES256JWK (JSON)Memory cache (jose, 1h TTL)Per fbeta JWKS rotation
EidLink.eidHasheID identifier one-way hash (1:1 matching / duplicate-link prevention)SHA-256hex stringprivate.eid_links.eid_hash (UNIQUE column)Permanent (1:1 user mapping)

3. Key Lifecycle Stages

3.1 Generation

KeyGeneration MethodRandom SourceIntegrity Assurance
CONSENT_HMAC_KEYGCP Secret Manager + openssl rand -base64 32OS CSPRNG (/dev/urandom)SHA-256 fingerprint recorded separately
AUTH_OAUTH_FBETA_EID_CLIENT_SECRETIssued by fbeta → stored in Secret Manager immediatelyfbeta CSPRNG (external responsibility)Issuance timestamp + version recorded
Native 2FA device keyiOS SecKeyGeneratePair (Secure Enclave) / Android KeyPairGenerator (KeyStore)OS CSPRNGGenerated in secure element → non-exportable
Session/OAuth state nonceNode.js crypto.randomBytes(32)OS CSPRNGSingle-use, TTL 5–10 min

Generation Authority:

  • Secret Manager roles/secretmanager.admin holders (infrastructure operators) only
  • General developers are read-only (roles/secretmanager.secretAccessor)

3.2 Storage

KeyStorage LocationAccess Control
Backend secretsGCP Secret Manager (region: europe-west3)IAM-based, audit log recorded automatically
Runtime environment variablesCloud Run container env (Secret Manager → env binding)Container memory only, masked in logs
Mobile keysiOS Secure Enclave / Android KeystoreOS-enforced — non-exportable
Backend public keysPostgreSQL DB columnRepository userId filter enforced

Secrets are never stored in source code/repository; they are injected only as runtime environment variables from Secret Manager. Sensitive values are masked when written to logs.

3.3 Usage — Single-Purpose Principle (O.Cryp_4)

KeySingle PurposeUsage Site
CONSENT_HMAC_KEYConsent HMAC signing onlyConsentHmacService.sign/verify only
AUTH_OAUTH_FBETA_EID_CLIENT_SECRETfbeta OAuth client auth onlyfbeta token endpoint exchange only
Native 2FA device keyChallenge-Response signature verification onlyNative 2FA signature verification service only
JWT_SIGNING_KEYSession token signing onlySession issuance service only

To ensure keys are not used outside their purpose, the following controls apply:

  • ConfigService namespace separation isolates key access paths
  • Keys accessed only in the service layer; direct Controller/Repository access prohibited
  • TypeScript strong typing + private fields block export

3.4 Rotation

KeyPolicy
CONSENT_HMAC_KEYManual (annual) + immediate on compromise. Automated rotation is currently not implemented and is under consideration for a future KMS upgrade (roadmap).
fbeta JWKSAutomaticjose library 1h cache, refreshed automatically on JWKS rotation
Native 2FA device keyUser-triggered — on reenroll / change

Manual Rotation Procedure (CONSENT_HMAC_KEY example):

  1. Add new version in Secret Manager
  2. Dual-key window (24h): deploy so both new and old keys verify
  3. After 24h, confirm signatures from the old key are fully verified
  4. Destroy old key
  5. Update Cloud Run env (rolling deploy)
  6. Record rotation in audit log

Immediate Rotation Trigger (Compromise):

  • On suspected security incident, destroy immediately + create new version
  • Affected signatures are invalidated — user re-authentication required
  • Recorded per internal incident response procedure

3.5 Backup

KeyBackup Mechanism
Backend secretsSecret Manager versioning — all versions retained, rollback possible
Native 2FA device keyOS secure element (Secure Enclave/Keystore) — key itself non-exportable, recovered only via user reenroll
Public keys (DB)Included in PostgreSQL regular backups (same-region multi-zone)

No separate plaintext backup of secrets is created; Secret Manager versioning provides the recovery mechanism.

3.6 Destruction

KeyDestruction ReasonDestruction MethodDestruction Verification
CONSENT_HMAC_KEY old version24h after rotation completeSecret Manager version destroyaudit log + DESTROYED state in console
AUTH_OAUTH_FBETA_EID_CLIENT_SECRETfbeta contract end or rotationfbeta revoke + Secret Manager destroyfbeta notice + audit log
Native 2FA device keyUser reenroll, app deletion, backup expiryOS auto-deletion + DB status = EXPIREDcleanup log
fbeta JWKS cache1h TTL auto-expiryjose internal cleanupn/a

Destroyed secrets are non-recoverable; Secret Manager destroy is permanent deletion.


4. Segregation of Duties

4.1 GCP IAM Role Separation

RolePermissionGranted To
roles/secretmanager.adminKey create/rotate/destroyInfrastructure operators (limited, approval process)
roles/secretmanager.secretAccessorRuntime key readdta-wide-api service account only
roles/logging.viewerSecret Manager audit log reviewSecurity audit

Developers cannot directly access production secrets. Local development uses dev/local secrets or stub mode.

4.2 Audit Log

  • All Secret Manager access (read/write/destroy) is recorded automatically in Cloud Logging
  • Logs are aggregated into the central logging repository (BigQuery) to counteract deletion/manipulation on source systems
  • Alerting on suspicious activity

5. Integrity Assurance

MechanismApplication
Key fingerprint (SHA-256)Recorded at generation, compared at rotation
Secret Manager versioningAll change history recorded automatically, rollback possible
Audit logAccess/change actions recorded in Cloud Logging
Destroy approval processProduction secret destroy requires an approval process
Periodic reviewPeriodic Secret Manager inventory review

6. TR-02102-1 / NIST SP 800-57 Conformance

Key / AlgorithmBSI TR-02102-1NIST SP 800-57 StrengthConformance
HMAC-SHA256 (256-bit)§4.4.1 recommended128-bit security
ECDSA P-256 + SHA-256§4.3.3 recommended128-bit security
RSA 2048 (fbeta JWT)§4.3.2 min 2000-bit112-bit security (valid until 2030)
TLS 1.3 + AES-256-GCM§3.3.1 recommended256-bit security
SHA-256 (one-way hash)§4.3 recommended128-bit collision resistance

All algorithms meet the BSI TR-02102-1 recommended criteria, and key lengths are at or above the NIST recommended security strength.

6.1 Algorithm Sunset Plan

  • When BSI/NIST raise the recommended criteria, this document is updated and a migration plan is established.
  • All current algorithms retain validity beyond 2030.

7. Review Cycle

  • Annual periodic review (next: 2027-05)
  • Immediate review on security incident
  • Ad-hoc updates reflecting external audit feedback

8. Evidence and References (Artifacts)

  1. Key Catalogue (Section 2 of this document)
  2. Lifecycle Stage Policy (Section 3 — Generation/Storage/Usage/Rotation/Backup/Destruction)
  3. IAM Role Separation Matrix (Section 4.1)
  4. Standards Conformance Mapping (Section 6 — TR-02102-1 / NIST SP 800-57)
RegulationRequirementImplementationEvidence
BSI TR-03161 O.Arch_3Documented crypto key lifecycle policyThis policy (random source / segregation of duties / expiration / integrity)This document
BSI TR-03161 O.Cryp_4Single-purpose key usageSection 3.3 single-purpose controlsThis document
BSI TR-02102 / NIST SP 800-57Based on recognized standardsSection 6 conformance mappingThis document