Abstract
In conventional cryptographic systems, encryption keys are typically retrieved from a centralized key management server (KMS). To reduce latency and improve performance, clients often cache these keys locally. While this caching mechanism enhances efficiency. However, this approach also introduces several security challenges e.g. cached keys may become outdated or exposed to unauthorized access, and clients generally lack a reliable mechanism to detect when a key has been updated or revoked by the KMS. Moreover, because each client may implement its own caching logic—governing how long keys are stored, when they are refreshed, or how they are secured—this results in inconsistent behavior and increases the risk of security vulnerabilities. This white paper proposes a shift in key caching control from the client to the KMS. Under this model, the KMS centrally manages the lifecycle of cached keys across all clients. It can enforce uniform policies for key expiration, rotation, and revocation, thereby ensuring consistent and secure handling of encryption keys. This approach preserves the performance benefits of local caching while eliminating the possibility of policy misconfiguration or circumvention at the client level.
Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 License.
Recommended Citation
Srivastava, Himanshu Kishna Mr., "Key management server driven adaptive client-side caching of cryptographic keys", Technical Disclosure Commons, (July 08, 2025)
https://www.tdcommons.org/dpubs_series/8312