**Your company sells toys online through a large-scale web-based E-commerce system. To comply with the Payment Card Industry Data Security Standard (PCI DSS)**,** you decide to rotate secret keys on a regular schedule. Which of the following is the primary purpose? (Wentz QOTD)**

A. Increase the number of round keys of the key schedule.

B. Increase the entropy of the random number generator and work factor.

C. Decrease the probability of the loss of confidentiality.

D. Decrease the impact of the secret key being cracked.

**Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.**

My suggested answer is D. Decrease the impact of the secret key being cracked.

Wentz’s book, *The Effective CISSP: Security and Risk Management*, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams, and an informative reference for security professionals.

If a secret key can be cracked in 60 days using brute force, any keys can be broken in 60 days. So, key rotation doesn’t increase the work factor or decrease the probability of the loss of confidentiality. It primarily decreases the impact if the secret key is cracked. For example, if we rotate keys every 30 days, we lose only 30 days of data once a key is compromised.

**Round keys** are used in a cipher; the **key schedule** is the algorithm that produces round keys. It’s not related to the key rotation task.

Key rotation doesn’t change the entropy and alter the work factor to crack a key.

**Entropy**is a measure of uncertainty or randomness. Cryptographic keys and a nonce (number only used once, e.g., IV) rely on the randomness to the entropy of the random number generator. A fair six-sided dice has higher entropy than a fair two-sided coin; a fair six-sided dice also produces higher entropy than a biased dice that renders one, two, three only.**Work factor**is the “estimate of the effort or time needed by a potential perpetrator, with specified expertise and resources, to overcome a protective measure.” (CNSSI 4009-2015)

# Reference

- Key rotation
- What’s the purpose of key-rotation?
- Key schedule
- Time complexity
- Work factor
- Differences between Work Factor and Time Complexity
- Information Theory, Entropy, and Key Strength
- Entropy (computing)
- Entropy

# A BLUEPRINT FOR YOUR SUCCESS IN CISSP

My new book, *The Effective CISSP: Security and Risk Management*, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

- It is available on Amazon.
- Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.

**貴公司通過基於網絡的大型電子商務系統在線銷售玩具。 為了符合支付卡行業數據安全標準(PCI DSS)，您決定定期輪換(rotate)密鑰。 以下哪項是最主要的目的？**

A. 增加密鑰表(key schedule)的輪密鑰(round keys)數。

B. 增加亂數產生器的熵(entropy)和工作因子(work factor)。

C. 降低機密性喪失的可能性。

D. 降低秘鑰被破解的影響。