14  E5: Key Renewal & Asymmetric

Prerequisites: E3-E4: Transport and End-to-End Encryption

This enables: Security Properties and Best Practices | Cyber Security Methods

14.1 Learning Objectives

By the end of this chapter, you will be able to:

• Implement E5 Key Renewal: Design periodic key refresh using asymmetric encryption
• Compare RSA vs ECC: Select appropriate algorithms based on device constraints and security requirements
• Calculate Cryptographic Performance: Analyze TLS handshake time, energy consumption, and fleet throughput
• Design Key Rotation Strategies: Implement automated key lifecycle management for long-term deployments

In 60 Seconds

E5 covers the key management tier of IoT encryption — automating key generation, secure distribution, rotation, and revocation to maintain cryptographic health across the full device fleet.

For Beginners: E5: Key Renewal & Asymmetric

Symmetric encryption uses the same key to lock and unlock data, like a house key that both locks and unlocks the front door. The sender and receiver share a secret key beforehand. It is fast and efficient, making it ideal for IoT devices with limited processing power, but the challenge is safely sharing the key in the first place.

Sensor Squad: Changing the Locks Regularly!

“Using the same key forever is risky,” Max the Microcontroller explained. “If someone eventually cracks it, they can read ALL past and future messages. E5 key renewal fixes this by periodically changing our symmetric keys using asymmetric encryption.”

Sammy the Sensor asked, “How does the key swap work?”

“The server generates a brand new AES session key,” Lila the LED described. “Then it encrypts this new key with Sammy’s RSA public key and signs it with the server’s private key. Sammy receives it, verifies the signature to make sure it really came from the server, then decrypts the new key using his private key. Now both sides have the fresh key!”

“RSA and ECC are the two main algorithms for this,” Bella the Battery compared. “RSA-2048 is the classic choice but needs bigger keys. ECC-256 provides the same security with keys that are eight times smaller! For tiny IoT devices like us, ECC is usually the better choice because it uses less memory, processing power, and energy. The key renewal happens in the background, and the device smoothly switches to the new key without any interruption.”

14.2 E5: Key Renewal with Asymmetric Encryption

Time: ~12 min | Level: Advanced | Unit: P11.C08.U06

Figure 14.1: Key renewal process (E5)

Purpose: Periodically refresh symmetric keys using asymmetric encryption.

Characteristics:

• RSA public/private key pairs
• Asymmetric encryption for key exchange
• Authentication and non-repudiation
• Returns to AES for data encryption (performance)

Figure 14.2: E5 asymmetric key renewal workflow showing server generating new AES session key, encrypting with device RSA public key, signing with server private key for authentication

14.2.1 E5 Implementation Details

Algorithm: RSA-2048 or ECC P-256 for key exchange + digital signatures

Key Renewal Process:

Step	Actor	Action	Purpose
1	Device/Server	Generate RSA/ECC key pairs	One-time setup during provisioning
2	Both	Exchange public keys	Establish trust relationship
3	Server	Generate new AES-256 session key	Create fresh symmetric key
4	Server	Encrypt AES key with device’s public key	Secure key transport
5	Server	Sign encrypted key with server private key	Prove authenticity
6	Device	Verify signature with server public key	Authenticate sender
7	Device	Decrypt AES key with device private key	Recover session key
8	Device	Send acknowledgment encrypted with new AES key	Confirm receipt
9	Both	Switch to new AES key for E1/E2/E3	Activate new encryption

Asymmetric Algorithms Comparison:

Algorithm	Key Size	Security Level	Speed	IoT Suitability
RSA-2048	2048 bits	112-bit security	Slow	High power consumption
RSA-3072	3072 bits	128-bit security	Very slow	Too heavy for constrained devices
ECC P-256	256 bits	128-bit security	Fast	Recommended for IoT
ECC P-384	384 bits	192-bit security	Moderate	High-security IoT
Ed25519	256 bits	128-bit security	Very fast	Best for signatures

14.2.2 Why Use Asymmetric Encryption for Key Renewal?

Figure 14.3: Comparison showing symmetric encryption requires secure pre-shared channel to distribute keys (chicken-egg problem), while asymmetric encryption allows public key distribution over insecure channels

Security Properties:

• Authentication: RSA/ECC signatures prove key origin
• Non-Repudiation: Server cannot deny sending key (legal proof)
• Reduced Exposure Window: Regular key rotation limits the amount of data compromised if a key is extracted (note: true forward secrecy requires ephemeral key exchange such as ECDHE)
• No Pre-Shared Secret: Public keys can be distributed openly
• Performance: Asymmetric crypto is 100-1000x slower than AES

Best Practice:

Use asymmetric encryption (E5) only for key exchange, then switch to symmetric encryption (AES) for bulk data. This hybrid approach combines the security of RSA/ECC with the speed of AES—exactly how TLS and most secure protocols work.

14.3 Key Rotation Strategies and Schedules

Deep Dive: Key Rotation Implementation

Effective key rotation prevents long-term key compromise while minimizing operational overhead.

Rotation schedule recommendations:

Key Type	Rotation Period	Rationale
Link keys (E1)	Never / On compromise	Changing affects all devices
Device keys (E2)	Annually or on compromise	Balance security vs complexity
Session keys (E3/E4)	Per connection or daily	Forward secrecy
Master keys (E5)	Bi-annually	Certificate validity periods

Automated key rotation implementation:

import time
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.asymmetric import ec
from cryptography.hazmat.primitives.kdf.hkdf import HKDF

class KeyRotationManager:
    """
    Manages key lifecycle for IoT deployment.
    Supports scheduled rotation and emergency re-keying.
    """
    def __init__(self, device_id: str, key_server_url: str):
        self.device_id = device_id
        self.key_server = key_server_url
        self.current_key = None
        self.key_generation = 0
        self.key_valid_until = 0
        self.rotation_interval = 86400 * 90  # 90 days
        self.encryption_count = 0

    async def check_rotation_needed(self) -> bool:
        """Check if key rotation is due."""
        if self.current_key is None:
            return True

        # Time-based rotation
        if time.time() > self.key_valid_until:
            return True

        # Usage-based rotation (e.g., after N encryptions)
        if self.encryption_count > 1_000_000:
            return True

        return False

    async def rotate_key(self):
        """
        Perform key rotation using E5 asymmetric exchange.
        """
        # Step 1: Generate ephemeral ECDH key pair
        private_key = ec.generate_private_key(ec.SECP256R1())
        public_key = private_key.public_key()

        # Step 2: Request new key from server
        response = await self.key_server.request_key_rotation(
            device_id=self.device_id,
            device_public_key=public_key.public_bytes(...),
            current_generation=self.key_generation
        )

        # Step 3: Derive shared secret using ECDH
        server_public_key = load_public_key(response['server_public_key'])
        shared_secret = private_key.exchange(ec.ECDH(), server_public_key)

        # Step 4: Derive new symmetric key using HKDF
        hkdf = HKDF(
            algorithm=hashes.SHA256(),
            length=32,  # 256-bit AES key
            salt=response['salt'],
            info=b'iot-session-key-v1'
        )
        new_key = hkdf.derive(shared_secret)

        # Step 5: Verify key transition
        if await self.verify_new_key(new_key, response['verification_token']):
            self.transition_to_new_key(new_key)

    def transition_to_new_key(self, new_key: bytes):
        """Atomic key transition with overlap period."""
        # Keep old key valid for grace period (handles in-flight messages)
        self.previous_key = self.current_key
        self.previous_key_expiry = time.time() + 300  # 5 minute overlap

        # Activate new key
        self.current_key = new_key
        self.key_generation += 1
        self.key_valid_until = time.time() + self.rotation_interval
        self.encryption_count = 0

Compliance requirements:

Standard	Key Rotation Requirement
PCI-DSS	Annually minimum, on compromise
HIPAA	Risk-based, document rationale
NIST 800-57	Based on key type and algorithm
IEC 62443	Zone-specific, documented policy
ISO 27001	Policy-based (must document)
GDPR	Risk-based (demonstrable security)

14.4 Worked Example: TLS Handshake Performance Analysis

Real-World Problem: Smart Meter Fleet Registration

This worked example demonstrates how encryption algorithm choice impacts large-scale IoT deployments, particularly during device provisioning and registration.

Context: A utility company is deploying 10,000 smart meters that must register with their cloud platform using TLS mutual authentication. Each device must complete a full TLS handshake to establish secure communication.

Given:

Parameter	Value
Device MCU	ARM Cortex-M4 @ 80 MHz
RSA-2048 signature verification	200 ms on MCU
RSA-2048 key exchange computation	100 ms on MCU
ECDSA-256 signature verification	50 ms on MCU
ECDSA-256 key exchange computation	30 ms on MCU
RSA-2048 key generation	30 seconds on MCU
ECDSA-256 key generation	500 ms on MCU
Power during crypto operations	50 mW
Network round-trip time	50 ms

Problem: Compare RSA-2048 vs ECDSA-256 for device registration. Calculate handshake time, energy consumption, and fleet registration throughput.

---

14.4.1 Step 1: Single Device Handshake Time Analysis

Figure 14.4: TLS handshake timing comparison showing RSA-2048 taking 350ms total versus ECDSA-256 taking 130ms total

RSA-2048 Handshake Breakdown:

\[T_{RSA} = T_{network} + T_{verify} + T_{keyex}\]

\[T_{RSA} = 50\text{ ms} + 200\text{ ms} + 100\text{ ms} = 350\text{ ms}\]

ECDSA-256 Handshake Breakdown:

\[T_{ECDSA} = T_{network} + T_{verify} + T_{keyex}\]

\[T_{ECDSA} = 50\text{ ms} + 50\text{ ms} + 30\text{ ms} = 130\text{ ms}\]

Speedup Factor:

\[\text{Speedup} = \frac{T_{RSA}}{T_{ECDSA}} = \frac{350\text{ ms}}{130\text{ ms}} = 2.69\times\]

---

14.4.2 Step 2: Energy Consumption per Handshake

Energy equals power multiplied by time. With MCU consuming 50 mW during cryptographic operations:

RSA-2048 Energy:

\[E_{RSA} = P \times T_{RSA} = 50\text{ mW} \times 350\text{ ms} = 17.5\text{ mJ}\]

ECDSA-256 Energy:

\[E_{ECDSA} = P \times T_{ECDSA} = 50\text{ mW} \times 130\text{ ms} = 6.5\text{ mJ}\]

Energy Savings with ECC:

\[\text{Savings} = \frac{E_{RSA} - E_{ECDSA}}{E_{RSA}} \times 100\% = \frac{17.5 - 6.5}{17.5} \times 100\% = 62.9\%\]

Battery Impact

For a battery-powered smart meter with 2,400 mAh @ 3.3V (28.5 kJ total capacity):

• RSA: 28,500 J / 0.0175 J = 1.63 million handshakes before battery depletion
• ECDSA: 28,500 J / 0.0065 J = 4.38 million handshakes before battery depletion

ECDSA enables 2.7x more reconnection events over device lifetime!

---

14.4.3 Step 3: Fleet Registration Throughput

For the utility company registering 10,000 devices:

\[\text{Throughput}_{RSA} = \frac{3600\text{ s}}{0.35\text{ s/device}} = 10,286\text{ devices/hour}\]

\[\text{Throughput}_{ECDSA} = \frac{3600\text{ s}}{0.13\text{ s/device}} = 27,692\text{ devices/hour}\]

Time to Register 10,000 Device Fleet:

\[T_{fleet,RSA} = \frac{10,000}{10,286} = 0.97\text{ hours} \approx 58\text{ minutes}\]

\[T_{fleet,ECDSA} = \frac{10,000}{27,692} = 0.36\text{ hours} \approx 22\text{ minutes}\]

---

14.4.4 Final Answer Summary

Metric	RSA-2048	ECDSA-256	Improvement
Handshake time	350 ms	130 ms	2.7x faster
Energy per handshake	17.5 mJ	6.5 mJ	63% less energy
Fleet registration (10K)	58 minutes	22 minutes	2.7x faster
Public key size	256 bytes	33 bytes	8x smaller
Security level	112-bit	128-bit	ECC is stronger

Key Insight: ECC is Strongly Preferred for Constrained IoT

ECDSA-256 (or Ed25519) should be the default choice for IoT device authentication:

1. Faster: 2.7x faster handshakes improve user experience
2. Energy Efficient: 63% less energy extends battery life
3. Smaller Keys: 8x smaller certificates reduce storage and bandwidth
4. Better Security: 128-bit security (ECC-256) exceeds 112-bit (RSA-2048)

When to Use RSA: Only if legacy infrastructure requires RSA, or for root CA certificates.

viewof tlsAlgorithm = Inputs.select(["RSA-2048", "ECDSA-256", "Compare Both"], {
  value: "Compare Both",
  label: "Algorithm"
})

viewof deviceCount = Inputs.range([100, 100000], {
  value: 10000,
  step: 100,
  label: "Fleet Size (devices)"
})

viewof powerMw = Inputs.range([10, 200], {
  value: 50,
  step: 5,
  label: "MCU Power (mW)"
})

viewof batteryMah = Inputs.range([500, 10000], {
  value: 2400,
  step: 100,
  label: "Battery Capacity (mAh)"
})

viewof batteryVoltage = Inputs.range([1.8, 5.0], {
  value: 3.3,
  step: 0.1,
  label: "Battery Voltage (V)"
})

tlsCalc = {
  const rsaTime = 350;  // ms
  const ecdsaTime = 130; // ms
  const power = powerMw / 1000; // W

  const rsaEnergy = power * (rsaTime / 1000); // J
  const ecdsaEnergy = power * (ecdsaTime / 1000); // J

  const batteryJ = (batteryMah / 1000) * batteryVoltage * 3600; // J

  const rsaHandshakes = Math.floor(batteryJ / rsaEnergy);
  const ecdsaHandshakes = Math.floor(batteryJ / ecdsaEnergy);

  const rsaThroughput = Math.floor(3600 / (rsaTime / 1000));
  const ecdsaThroughput = Math.floor(3600 / (ecdsaTime / 1000));

  const rsaFleetMin = ((deviceCount / rsaThroughput) * 60).toFixed(1);
  const ecdsaFleetMin = ((deviceCount / ecdsaThroughput) * 60).toFixed(1);

  const energySavings = (((rsaEnergy - ecdsaEnergy) / rsaEnergy) * 100).toFixed(1);

  return {rsaTime, ecdsaTime, rsaEnergy: rsaEnergy * 1000, ecdsaEnergy: ecdsaEnergy * 1000,
          rsaHandshakes, ecdsaHandshakes, rsaThroughput, ecdsaThroughput,
          rsaFleetMin, ecdsaFleetMin, energySavings, batteryJ: (batteryJ/1000).toFixed(1)};
}

html`<div style="border-left: 4px solid #3498DB; padding: 12px 16px; margin: 16px 0; background: #f8f9fa; border-radius: 0 4px 4px 0;">
<h4 style="margin-top:0; color:#2C3E50;">TLS Handshake Performance Calculator</h4>
<table style="width:100%; border-collapse:collapse;">
<tr style="border-bottom:1px solid #dee2e6;"><th style="text-align:left; padding:6px;">Metric</th><th style="text-align:right; padding:6px;">RSA-2048</th><th style="text-align:right; padding:6px;">ECDSA-256</th><th style="text-align:right; padding:6px;">Improvement</th></tr>
<tr style="border-bottom:1px solid #dee2e6;"><td style="padding:6px;">Handshake Time</td><td style="text-align:right; padding:6px;">${tlsCalc.rsaTime} ms</td><td style="text-align:right; padding:6px;">${tlsCalc.ecdsaTime} ms</td><td style="text-align:right; padding:6px; color:#16A085;">${(tlsCalc.rsaTime / tlsCalc.ecdsaTime).toFixed(1)}x faster</td></tr>
<tr style="border-bottom:1px solid #dee2e6;"><td style="padding:6px;">Energy per Handshake</td><td style="text-align:right; padding:6px;">${tlsCalc.rsaEnergy.toFixed(1)} mJ</td><td style="text-align:right; padding:6px;">${tlsCalc.ecdsaEnergy.toFixed(1)} mJ</td><td style="text-align:right; padding:6px; color:#16A085;">${tlsCalc.energySavings}% less</td></tr>
<tr style="border-bottom:1px solid #dee2e6;"><td style="padding:6px;">Battery (${tlsCalc.batteryJ} kJ) Handshakes</td><td style="text-align:right; padding:6px;">${tlsCalc.rsaHandshakes.toLocaleString()}</td><td style="text-align:right; padding:6px;">${tlsCalc.ecdsaHandshakes.toLocaleString()}</td><td style="text-align:right; padding:6px; color:#16A085;">${(tlsCalc.ecdsaHandshakes / tlsCalc.rsaHandshakes).toFixed(1)}x more</td></tr>
<tr style="border-bottom:1px solid #dee2e6;"><td style="padding:6px;">Fleet Registration (${deviceCount.toLocaleString()} devices)</td><td style="text-align:right; padding:6px;">${tlsCalc.rsaFleetMin} min</td><td style="text-align:right; padding:6px;">${tlsCalc.ecdsaFleetMin} min</td><td style="text-align:right; padding:6px; color:#16A085;">${(tlsCalc.rsaFleetMin / tlsCalc.ecdsaFleetMin).toFixed(1)}x faster</td></tr>
</table>
<p style="margin-bottom:0; font-size:0.85em; color:#7F8C8D;">Adjust fleet size, MCU power, and battery parameters above to explore different deployment scenarios.</p>
</div>`

14.5 Hash Collision Probability Calculator

Understanding Hash Collisions and the Birthday Paradox

Hash functions are critical for IoT firmware verification, password storage, and message authentication (HMAC). Understanding collision probability helps you select appropriate hash sizes for your security requirements.

The Birthday Paradox: In a room of just 23 people, there’s a 50% chance two share a birthday. With 365 days available, this seems counterintuitive—but it’s a fundamental property of randomness that affects cryptographic hash security.

viewof hashBits = Inputs.select([64, 128, 160, 224, 256, 384, 512], {
  value: 256,
  label: "Hash Output Size (bits)"
})

viewof numItems = Inputs.range([1, 10000000000], {
  value: 1000000,
  step: 1,
  label: "Number of Items to Hash (e.g., firmware updates, messages)"
})

viewof hashAlgorithm = Inputs.select(
  ["MD5 (128-bit)", "SHA-1 (160-bit)", "SHA-256 (256-bit)", "SHA-384 (384-bit)", "SHA-512 (512-bit)", "SHA3-256 (256-bit)"],
  {value: "SHA-256 (256-bit)", label: "Hash Algorithm"}
)

collisionData = {
  const bits = hashBits;
  const n = numItems;

  // For large bit sizes, use log-space computation to avoid Infinity
  // Birthday paradox: P(collision) ~ 1 - e^(-n^2 / (2 * 2^bits))
  // In log space: exponent = -n^2 / (2^(bits+1))
  // log2(exponent) = 2*log2(n) - (bits+1)
  const log2Exponent = 2 * Math.log2(n) - (bits + 1);

  let collisionProbability;
  if (log2Exponent < -50) {
    // Exponent magnitude is huge negative, probability is essentially 0
    // Use approximation: P ~ n^2 / (2^(bits+1)) for very small probabilities
    collisionProbability = Math.pow(2, log2Exponent);
  } else {
    const exponent = -Math.pow(2, log2Exponent);
    collisionProbability = 1 - Math.exp(exponent);
  }
  const collisionPercent = collisionProbability * 100;

  // Items for 50% collision: sqrt(2 * 2^bits * ln(2)) ~ 2^(bits/2) * 1.177
  const halfBits = bits / 2;

  // Security classification
  let securityLevel = "";
  let recommendation = "";

  if (bits < 128) {
    securityLevel = "Inadequate";
    recommendation = "Hash is too short - collisions are feasible. DO NOT USE for security.";
  } else if (bits < 256) {
    if (collisionProbability > 1e-10) {
      securityLevel = "Moderate";
      recommendation = "Collision risk exists at scale. Consider SHA-256 or larger.";
    } else {
      securityLevel = "Good";
      recommendation = "Acceptable for most IoT applications.";
    }
  } else {
    securityLevel = "Excellent";
    recommendation = "Collision probability is negligible - suitable for all IoT security applications.";
  }

  // Algorithm-specific warnings
  let algorithmWarning = "";
  if (hashAlgorithm.includes("MD5")) {
    algorithmWarning = "MD5 is cryptographically broken - collisions can be generated in seconds. Never use for security!";
  } else if (hashAlgorithm.includes("SHA-1")) {
    algorithmWarning = "SHA-1 is deprecated - practical collision attacks exist (Google SHAttered, 2017). Migrate to SHA-256.";
  }

  return {
    bits,
    numItems: n,
    collisionProbability,
    collisionPercent,
    halfBits,
    securityLevel,
    recommendation,
    algorithmWarning
  };
}

md`### Hash Collision Probability Analysis

**Configuration:**

- **Hash Algorithm**: ${hashAlgorithm}
- **Hash Size**: ${collisionData.bits} bits
- **Items Hashed**: ${collisionData.numItems.toLocaleString()}

**Collision Risk:**

| Metric | Value |
|:-------|:------|
| **Probability of Collision** | ${collisionData.collisionPercent < 1e-10 ? collisionData.collisionProbability.toExponential(4) : collisionData.collisionPercent.toFixed(10)}% |
| **Security Level** | ${collisionData.securityLevel} |
| **Items for 50% Collision** | ~2^${collisionData.halfBits} items |

**Recommendation**: ${collisionData.recommendation}

${collisionData.algorithmWarning ? "**CRITICAL WARNING:** " + collisionData.algorithmWarning : ""}
`

Use Cases by Hash Size:

Hash Size	Security Level	Suitable For	Attack Resistance
64-bit	Inadequate	Checksums only	Collisions trivial
128-bit	Weak	Non-security uses	Birthday attack feasible
160-bit	Deprecated	Legacy systems (SHA-1)	Broken (SHAttered 2017)
256-bit	Standard	Firmware verification, HMAC	Secure for decades
384-bit	High Security	Government, defense	Post-quantum resistant
512-bit	Maximum	Ultra-high security	Overkill for most IoT

Worked Example: Calculating Optimal Key Rotation Schedule for Industrial IoT

Scenario: Factory deploys 200 industrial vibration sensors monitoring critical equipment. Each sensor costs $500, but equipment failure costs $100,000 per incident.

Security Requirements:

• Devices operational for 15 years
• Keys must be rotated to limit breach exposure
• Must meet IEC 62443-4-2 industrial security standard

Given:

• Device AES-256 key for E2 encryption
• Gateway holds 200 device keys in encrypted database
• ECDH-based key rotation using ECC P-256
• Key rotation over-the-air via cellular (200 bytes per device)
• Cellular cost: $0.10 per MB

Question: What is the optimal key rotation frequency that balances security and operational cost?

Analysis:

Security Model: If a key is compromised, the attacker can decrypt data encrypted during that key’s lifetime.

Rotation Frequency	Key Lifetime	Data at Risk per Breach
Never	15 years	15 years of data
Annually	1 year	1 year of data
Quarterly	3 months	3 months of data
Monthly	1 month	1 month of data
Weekly	7 days	7 days of data
Daily	24 hours	24 hours of data

Cost Model:

Per-device key rotation cost: - Key exchange message: 200 bytes - Cellular cost: 200 bytes x $0.10 / 1,048,576 bytes = $0.000019 per rotation

Fleet rotation cost: - 200 devices x $0.000019 = $0.0038 per rotation event

Annual rotation costs: | Frequency | Rotations/Year | Annual Cost | |———–|—————|————-| | Annually | 1 | $0.0038 | | Quarterly | 4 | $0.015 | | Monthly | 12 | $0.046 | | Weekly | 52 | $0.20 | | Daily | 365 | $1.39 |

15-year total costs: | Frequency | 15-Year Cost | |———–|————-| | Annually | $0.057 | | Quarterly | $0.23 | | Monthly | $0.69 | | Weekly | $3.00 | | Daily | $20.85 |

Breach Impact Model:

Assume breach probability: 5% per year (typical for industrial environments) Assume key compromise leads to equipment damage: $100,000 (one failure)

Expected annual loss (EAL):

EAL = Breach_Probability x Breach_Cost
EAL = 0.05 x $100,000 = $5,000/year

Breach Window Reduction:

With annual rotation: - Compromised key exposes 12 months of data - Attacker can cause damage for up to 12 months until key rotates

With quarterly rotation: - Compromised key exposes 3 months of data - Attacker window reduced to 3 months

The expected loss scales proportionally with the exposure window:

Annual rotation EAL: $5,000/year (baseline)
Quarterly rotation EAL: $5,000 x (3/12) = $1,250/year
Monthly rotation EAL: $5,000 x (1/12) = $417/year
Weekly rotation EAL: $5,000 x (1/52) = $96/year
Daily rotation EAL: $5,000 x (1/365) = $14/year

Cost-Benefit Analysis (over 15 years, using annual rotation as baseline):

Rotation Frequency	15-Year Rotation Cost	15-Year Expected Loss	Loss Reduction vs Annual	Net Benefit
Annually	$0.06	$75,000	$0 (baseline)	$0
Quarterly	$0.23	$18,750	$56,250	$56,250
Monthly	$0.69	$6,250	$68,750	$68,749
Weekly	$3.00	$1,442	$73,558	$73,555
Daily	$20.85	$205	$74,795	$74,774

Optimal Decision: Quarterly rotation

Reasoning: 1. Security improvement: 4x reduction in exposure window 2. Cost: Negligible ($0.23 over 15 years) 3. Diminishing returns: Moving from annual to quarterly captures 75% of the total possible loss reduction ($56,250 out of $74,795), while further increases yield progressively smaller marginal benefits relative to added operational complexity

Implementation Schedule:

Year 1: Q1 (Jan 1) - Initial key provisioning
        Q2 (Apr 1) - First rotation
        Q3 (Jul 1) - Second rotation
        Q4 (Oct 1) - Third rotation

Years 2-15: Continue quarterly rotations

Total rotations: 4 x 15 - 1 = 59 rotations
Total cost: 59 x $0.0038 = $0.22

Compliance Verification:

IEC 62443-4-2 requirements: - SR 1.5: Authenticator management (key rotation) – met - SR 2.1: Authorization enforcement (per-device keys) – met - SR 3.1: Communication integrity (authenticated encryption) – met

Quarterly rotation exceeds minimum requirement (annual) and demonstrates defense-in-depth.

Key Insight: Key rotation is extremely cheap (fractions of a cent per device) but provides massive breach exposure reduction. Always implement rotation for long-lived deployments — the cost is negligible compared to breach risk.

Decision Framework: Key Rotation Frequency Selection

Use this framework to determine optimal rotation schedule:

Step 1: Classify Key Type

Key Type	Typical Rotation	Rationale
Master keys (E5)	Never (hardware-protected)	Compromise requires physical access
Root CA private keys	Never or 10+ years	Root of all trust
Intermediate CA keys	2-5 years	Balance security vs operational disruption
TLS certificates	1-2 years	Let’s Encrypt: 90 days
E4 session keys	Per connection or daily	Forward secrecy
E2/E3 device keys	Monthly to annually	Based on data sensitivity
E1 network keys	Quarterly to annually	Affects all devices

Step 2: Assess Data Sensitivity

Data Classification	Recommended Rotation	Example
Public	Never	Weather data from public sensors
Low sensitivity	Annually	Smart parking occupancy data
Medium sensitivity	Quarterly	Building energy usage
High sensitivity	Monthly	Industrial process parameters
Critical	Weekly	Medical device telemetry
Confidential	Daily	Financial transactions

Step 3: Evaluate Operational Constraints

Can devices reliably receive rotation commands?
--- YES (always online)
|   --- Rotation limited only by computational cost
|       --- Recommend quarterly minimum
|
--- NO (intermittent connectivity)
    --- How often do devices connect?
    |   --- Daily: Monthly rotation feasible
    |   --- Weekly: Quarterly rotation feasible
    |   --- Monthly: Annual rotation only
    |
    --- Do you have offline fallback?
        --- YES: Can force rotation on next connection
        --- NO: Must wait for natural connection

Step 4: Calculate Rotation Cost

Cost per rotation = (key_exchange_bytes x cellular_cost_per_MB)
                  + (device_downtime_minutes x operation_cost_per_minute)

Example (ECDH key rotation):
- Key exchange: 200 bytes
- Cellular: $0.10/MB
- Device downtime: 5 seconds
- No operation cost (background rotation)

Cost = (200 / 1,048,576 x $0.10) + $0 = $0.000019 per device

For 1,000 device fleet:
- Quarterly: 4 x 1,000 x $0.000019 = $0.076/year
- Monthly: 12 x 1,000 x $0.000019 = $0.23/year

Decision Matrix:

Scenario	Rotation Frequency	Justification
Public weather sensors	Never	Data is public
Smart home (cloud gateway)	Quarterly	Medium sensitivity
Industrial sensors	Quarterly	IEC 62443 + medium sensitivity
Medical devices (FDA)	Monthly	High sensitivity + regulatory
Financial PoS terminals	Weekly	PCI-DSS + critical data
Military/defense IoT	Daily	Maximum security

Red Flags Requiring More Frequent Rotation:

• Device lifetime > 5 years — Minimum quarterly
• High-value data (>$100K breach cost) — Monthly
• Regulatory requirements — Meet or exceed minimum
• Previous breach in deployment — Increase rotation by 4x
• Shared keys across devices — Weekly (compromise spreads)

Common Mistake: Rotating Keys Without Graceful Transition

The Mistake: Immediately invalidating old keys upon rotation, causing devices with intermittent connectivity to lose access.

The Problem:

10:00 AM: Server generates new key (Key_v2)
10:00 AM: Server sends rotation command to all 1,000 devices
10:01 AM: Server deletes old key (Key_v1) from database
10:01 AM: 800 devices successfully rotate to Key_v2
10:01 AM: 200 devices offline (poor cellular signal)

11:00 AM: Offline devices reconnect
11:00 AM: Devices attempt authentication with Key_v1
11:00 AM: Server rejects (Key_v1 deleted)
11:00 AM: 200 devices locked out indefinitely

Real-World Incident:

Smart meter deployment rotated keys without grace period: - 2,000 meters deployed across rural area - Key rotation triggered at midnight - 15% of meters offline due to poor cellular coverage - Those meters permanently lost connectivity - Required truck rolls ($150 per meter x 300 = $45,000)

The Fix: Implement Grace Period

// WRONG: Immediate key invalidation
void rotate_key() {
    generate_new_key(key_v2);
    send_rotation_command(key_v2);
    delete_old_key(key_v1);  // Too aggressive!
}

// CORRECT: Grace period with overlapping key windows
struct KeyVersion {
    uint8_t key[32];
    uint32_t version;
    time_t valid_from, valid_until;
    bool primary;
};

KeyVersion keys[2];  // old + new key slots

void rotate_key_graceful() {
    generate_new_key(keys[1].key);
    keys[1].version  = current_version + 1;
    keys[1].valid_until = now() + GRACE_PERIOD;  // e.g. 7 days
    keys[1].primary  = true;

    keys[0].primary  = false;
    keys[0].valid_until = now() + GRACE_PERIOD;  // extend old key

    send_rotation_command_with_grace_period(keys[1]);
    schedule_key_deletion(keys[0], GRACE_PERIOD);
}

bool verify_message_key(const Message *msg) {
    // Accept messages signed with either key during grace window
    for (int i = 0; i < 2; i++)
        if (time_in_valid_window(now(), keys[i].valid_from,
                                 keys[i].valid_until))
            if (verify_mac(msg, keys[i].key)) return true;
    return false;
}

Grace Period Recommendations:

Device Connectivity	Recommended Grace Period
Always online	1 hour
Daily connection	3 days
Weekly connection	2 weeks
Monthly connection	6 weeks
Intermittent (poor signal)	2x average reconnect time

Implementation Pattern:

Day 0: Generate Key_v2, send to devices
       Server accepts both Key_v1 (old) and Key_v2 (new)

Day 0-7: Grace period
         - Server accepts both keys for incoming messages
         - Server uses Key_v2 for outgoing messages
         - Devices gradually transition to Key_v2

Day 7: Delete Key_v1
       - Server only accepts Key_v2
       - Any device still using Key_v1 gets "key expired" error
       - Device retries key rotation

Monitoring During Grace Period:

-- Track key rotation progress
SELECT
    device_id,
    last_key_version,
    last_seen,
    CASE
        WHEN last_key_version = 2 THEN 'rotated'
        WHEN NOW() - last_seen < INTERVAL '7 days' THEN 'pending'
        ELSE 'at_risk'
    END AS status
FROM devices
WHERE last_key_version < 2;

-- Output:
-- device_id | last_key_version | last_seen           | status
-- -----------------------------------------------------------------
-- meter_001 | 2                | 2024-01-15 10:05:00 | rotated
-- meter_042 | 1                | 2024-01-15 09:30:00 | pending
-- meter_193 | 1                | 2024-01-08 14:20:00 | at_risk

Alerting Strategy:

Day 3: Alert if >10% devices haven't rotated
Day 5: Alert if >5% devices haven't rotated
Day 6: Final warning - extend grace period if needed
Day 7: Delete old key (or extend if critical devices offline)

Cost of Mistake:

• Truck roll for locked-out devices: $150-$300 per device
• Downtime for critical sensors: Varies (could be $1000s)
• Support tickets and customer frustration: Operational cost

Cost of Grace Period:

• Additional database storage: ~32 bytes x fleet size (negligible)
• Additional verification logic: ~1 ms per message (negligible)
• Delayed security benefit: 7 days (acceptable trade-off)

The Rule: Always implement a grace period equal to at least 2x your maximum expected reconnection time. The operational cost of device lockouts far exceeds any security benefit of immediate rotation.

viewof rotationFreq = Inputs.select(
  ["Never", "Annually", "Quarterly", "Monthly", "Weekly", "Daily"],
  {value: "Quarterly", label: "Rotation Frequency"}
)

viewof fleetSize = Inputs.range([10, 100000], {
  value: 200,
  step: 10,
  label: "Fleet Size (devices)"
})

viewof deployYears = Inputs.range([1, 25], {
  value: 15,
  step: 1,
  label: "Deployment Lifetime (years)"
})

viewof breachProb = Inputs.range([0.01, 0.30], {
  value: 0.05,
  step: 0.01,
  label: "Annual Breach Probability"
})

viewof breachCost = Inputs.range([1000, 1000000], {
  value: 100000,
  step: 1000,
  label: "Breach Cost ($)"
})

rotCalc = {
  const rotationsPerYear = {
    "Never": 0, "Annually": 1, "Quarterly": 4, "Monthly": 12, "Weekly": 52, "Daily": 365
  };
  const exposureMonths = {
    "Never": deployYears * 12, "Annually": 12, "Quarterly": 3, "Monthly": 1, "Weekly": 7/30, "Daily": 1/30
  };

  const rots = rotationsPerYear[rotationFreq];
  const costPerRotation = fleetSize * 0.000019;
  const annualRotCost = rots * costPerRotation;
  const lifetimeRotCost = annualRotCost * deployYears;

  const exposureFraction = exposureMonths[rotationFreq] / 12;
  const annualExpectedLoss = breachProb * breachCost * exposureFraction;
  const lifetimeExpectedLoss = annualExpectedLoss * deployYears;

  const baselineAnnualLoss = breachProb * breachCost * deployYears;
  const baselineLifetimeLoss = baselineAnnualLoss * deployYears;

  // Compare against "never" as baseline
  const neverLifetimeLoss = breachProb * breachCost * deployYears * deployYears;
  const lossReduction = neverLifetimeLoss - lifetimeExpectedLoss;
  const netBenefit = lossReduction - lifetimeRotCost;

  return {rots, costPerRotation: costPerRotation.toFixed(4),
          annualRotCost: annualRotCost.toFixed(2), lifetimeRotCost: lifetimeRotCost.toFixed(2),
          exposureFraction: exposureFraction.toFixed(3),
          annualExpectedLoss: annualExpectedLoss.toFixed(0),
          lifetimeExpectedLoss: lifetimeExpectedLoss.toFixed(0),
          lossReduction: lossReduction.toFixed(0),
          netBenefit: netBenefit.toFixed(0)};
}

html`<div style="border-left: 4px solid #3498DB; padding: 12px 16px; margin: 16px 0; background: #f8f9fa; border-radius: 0 4px 4px 0;">
<h4 style="margin-top:0; color:#2C3E50;">Key Rotation Cost-Benefit Calculator</h4>
<table style="width:100%; border-collapse:collapse;">
<tr style="border-bottom:2px solid #2C3E50;"><th style="text-align:left; padding:6px;">Metric</th><th style="text-align:right; padding:6px;">Value</th></tr>
<tr style="border-bottom:1px solid #dee2e6;"><td style="padding:6px;">Rotation Frequency</td><td style="text-align:right; padding:6px;"><strong>${rotationFreq}</strong> (${rotCalc.rots}/year)</td></tr>
<tr style="border-bottom:1px solid #dee2e6;"><td style="padding:6px;">Cost per Rotation Event</td><td style="text-align:right; padding:6px;">$${rotCalc.costPerRotation}</td></tr>
<tr style="border-bottom:1px solid #dee2e6;"><td style="padding:6px;">Annual Rotation Cost</td><td style="text-align:right; padding:6px;">$${rotCalc.annualRotCost}</td></tr>
<tr style="border-bottom:1px solid #dee2e6;"><td style="padding:6px;">${deployYears}-Year Rotation Cost</td><td style="text-align:right; padding:6px;">$${rotCalc.lifetimeRotCost}</td></tr>
<tr style="border-bottom:2px solid #E67E22;"><td colspan="2" style="padding:6px; font-weight:bold; color:#E67E22;">Breach Risk Analysis</td></tr>
<tr style="border-bottom:1px solid #dee2e6;"><td style="padding:6px;">Exposure Window</td><td style="text-align:right; padding:6px;">${rotCalc.exposureFraction} years per key</td></tr>
<tr style="border-bottom:1px solid #dee2e6;"><td style="padding:6px;">Annual Expected Loss</td><td style="text-align:right; padding:6px; color:#E74C3C;">$${rotCalc.annualExpectedLoss}</td></tr>
<tr style="border-bottom:1px solid #dee2e6;"><td style="padding:6px;">${deployYears}-Year Expected Loss</td><td style="text-align:right; padding:6px; color:#E74C3C;">$${rotCalc.lifetimeExpectedLoss}</td></tr>
<tr style="border-bottom:1px solid #dee2e6;"><td style="padding:6px;">Loss Reduction vs No Rotation</td><td style="text-align:right; padding:6px; color:#16A085;">$${rotCalc.lossReduction}</td></tr>
<tr style="background:#e8f5e9;"><td style="padding:6px; font-weight:bold;">Net Benefit</td><td style="text-align:right; padding:6px; font-weight:bold; color:#16A085;">$${rotCalc.netBenefit}</td></tr>
</table>
<p style="margin-bottom:0; font-size:0.85em; color:#7F8C8D;">Adjust parameters above to model your deployment scenario. Net benefit = loss reduction minus rotation cost.</p>
</div>`

Concept Relationships

Concept	Depends On	Enables	Critical Insight
E5 Key Renewal	E1-E4 symmetric keys	Reduced exposure window	Without E5, one breach = all history exposed
Asymmetric Key Exchange	RSA/ECC keypairs	Secure key distribution	Solves the “how do we share the key?” problem
RSA vs ECC	Different math problems	Trade-off: compatibility vs efficiency	ECC: 8x smaller keys, 2.7x faster handshakes
Key Rotation Schedule	Risk assessment + compliance	Limited blast radius	Quarterly rotation = 4x less exposure than annual
Grace Period	Device connectivity patterns	Zero lockouts	Immediate rotation = stranded offline devices
Hybrid Encryption	Both symmetric + asymmetric	Fast data + secure keys	This is how TLS/DTLS actually works

The Chain: E5 uses asymmetric crypto (RSA/ECC) to securely deliver new symmetric keys (AES) that refresh E1-E4 layers. Break any link = security failure.

Common Pitfalls

1. No Automated Key Rotation

Manually rotating keys across a large IoT fleet is error-prone and almost never done consistently. Implement automated key rotation using a key management service that triggers renewal before expiry and handles distribution atomically.

2. Shipping Devices With Default or Factory-Default Keys

Devices shipping with shared or predictable default keys can all be compromised once the default key is discovered. Provision unique per-device keys at manufacture and enforce first-boot key change for any remaining defaults.

3. Race Conditions During Key Rollover

If a new key is activated before all communicating parties have received it, some devices will use the old key while others use the new one, causing authentication failures. Use a transition window where both old and new keys are accepted simultaneously.

4. No Audit Trail for Key Operations

Without logging key generation, distribution, and revocation events, it is impossible to investigate a security incident or prove compliance. Implement tamper-evident audit logs for all key lifecycle events.

Label the Diagram

💻 Code Challenge

Order the Steps

Match the Concepts

14.6 Summary

This chapter covered E5 key renewal and asymmetric cryptography:

• E5 Purpose: Periodic refresh of symmetric keys using asymmetric encryption (RSA/ECC) for long-term security
• Hybrid Approach: Use asymmetric crypto for key exchange, symmetric crypto for bulk data (how TLS works)
• ECC Advantages: 2.7x faster, 63% less energy, 8x smaller keys than RSA-2048 with equal or better security
• Key Rotation: Implement automated rotation schedules based on key type and compliance requirements
• Hash Selection: Use SHA-256 minimum for security applications; avoid MD5 and SHA-1

14.7 Knowledge Check

Quiz: E5: Key Renewal & Asymmetric

::

Key Concepts

• E5 Key Management: The fifth encryption level in the IoT encryption architecture, managing the lifecycle of all cryptographic keys used by E1–E4 layers.
• HKDF (HMAC-based Key Derivation Function): An extract-then-expand KDF that derives secure keys from a shared secret or master key, used for generating per-session or per-device keys.
• Key Renewal: The process of replacing an expiring or rotated key with a newly generated key while ensuring seamless continuity of encrypted communications.
• Bootstrap Trust: The mechanism by which a newly manufactured device establishes its first cryptographic identity, typically via a factory-provisioned certificate or secure element.
• Over-the-Air (OTA) Key Update: Securely pushing new cryptographic keys to deployed devices via the network, requiring the update itself to be authenticated and encrypted.
• Certificate Authority (CA): A trusted entity that issues signed certificates binding a public key to a device identity; root CA certificates are provisioned at manufacture.
• Key Compromise: A situation where an unauthorized party gains access to a private or symmetric key, requiring immediate revocation and re-keying of affected devices.

::

14.8 What’s Next

If you want to…	Read this
Review the full encryption layer architecture	Encryption Architecture & Levels
Understand key management strategies	Key Management
Explore TLS certificate lifecycle	TLS and DTLS for IoT
Study E1–E4 encryption layers	E3/E4 Transport Encryption

Continue to Security Properties and Best Practices to understand how all five encryption levels (E1-E5) work together to provide defense-in-depth security, and learn how to design comprehensive encryption architectures for real-world IoT deployments.

14.9 See Also

Related Chapters