security - How to properly do private key management -

-

Is there such a practical experience or a reference to a plan that implements an important management plan that Will follow?

Obviously there are some implementations around the number of companies compatible with some PCI DSS, but the details of them are difficult to get. When the personal data goes down to archive, then discussions on using which encryption algorithm generally stop. After this, a statement is given about the storage of the private key in general, but there is no discussion about the practical method to do it or the key changes from time to time or the key of the application etc. Offers.

Especially I'm interested in the requirements of section 3.5 and 3.6 of the PCI DSS standard.

3.5.2 Store the cryptographic key safely in some of the least possible places and forms.

3.6.a Verify the existence of key-management procedures for the key used for the encryption of cardholder data: Many industry standards for critical management are available from various resources including NIST, which That can be found on.

3.6.4 Confirm that major management processes are implemented so that at least annual changes are required.

I have suggested as a document of PCI DSS requirements, but in addition to recent notes, actual implementation plans or standards do not seem much in the way.

What I'm trying to do is not:

  1. Store the password + S has the hash for authentication in the same way,
  2. Select strong synchronous algorithm for data encryption,
  3. Avoid the need to store personal data in the first place.
  4. Avoid the need for critical management with other mechanisms: physical security, database security, dragons and wizards etc.

Everyone has valid concerns but there are no answers in this case. Nuts and bolts of my needs are in a different SO question but it boils down to all major management, so this is a more refined question.

I am aware of the pain through which you are going to go to PCI compliance with an old EFT The system has struggled to update. Key management was definitely the most challenging part (from my software point of view).

I think I also posted in Martin, and was incredibly disappointed because of the lack of concrete examples.

Perhaps most relevant to your needs with PCI-DSS. Although this is a good thing, this document is a large collection of TLA, which I know I definitely have to read.

When frustration becomes frustrating then I stumble into a fictional story, discussed technical references X9.17 and can help in understanding.

With this reference material I have prepared an important management system which was pleased with our auditors. The design documentation is quite long, but in short this idea is that you have a encrypting key that is protected by the key encrypting key, and the key encryption key is stored on a physically separate box , Which is protected by the master key.

My implementation was a major server application running on a windows box. Before this can be used, this app will need to have access to two different 'key server master keys'. These keys are known only to the major server administrators. These keys together to make the master key are xor'd Are stored in secure memory only, while the application is running. The application can automatically generate cryptographic strong key encryption keys, which are stored in an encrypted form using a master key.

Application keys requiring encryption will request the key to encrypt keys from the server. KEK is used to encrypt the app to encrypt / decrypt, which can be safely stored with application data.

Good luck, I hope you find an interesting challenge too!


Comments

Post a Comment

Popular posts from this blog

asp.net - Javascript/DOM Why is does my form not support submit()? -

-
This is my first time working with asp.net and javascript, so I do not know very good web resources, or Much about javascript debugging I have to find out that on line oFormObject.submit (); Microsoft JScript Runtime Error: Object does not support this property or method I am using the link to work as a button because I am terrible in aesthetics and I think That link will look more professional than a table of 50 buttons. I have read that this solution can cause problems with browsers due to pre-rendering of my links and many additional traffic and problems, but CSS gives me a button like a link, which has issues of alignment and difference seemed to. & lt ;! DOCTYPE HTML PUBLIC "- // W3C // DTD HTML 4.01 // N" "http://www.w3.org/TR/html4/strict.dtd"> & Lt; Html xmlns = "http://www.w3.org/1999/xhtml" & gt; & Lt; Head & gt; & Lt; Link rel = "stylesheet" type = "text / css" href = "defect differen
Read more

sockets - Delphi: TTcpServer, connection reset when reading -

-
I am trying to implement one for Delphi, but there are some problems with communication. Fitnesse will start my process, and give me a portmember as a command line argument. Then I should make a socket on the port number given to me, and fitness will connect to that port I am using a TCPCP server for the job: < Pre> TcpServer1.LocalPort: = ParamStr (ParamCount); TcpServer1 Active: = true; On OnEXEPT () -Event, I send the protocol version to use as specified in the protocol. Process TForm1.TcpServer1Accept (From: TOBject; ClientSocket: TCustomIpClient); Var s: ansistring; Start clientSocket. Syndrome ('slim - v 0.0', # 10); SetLength (S, 6); ClientSketts Receavebook (S, 6); End; When I call ReceiveBuf (), the process ends, and fitness throws an exception: java.net.SocketException: connection Reset I have seen what sent and received. It shows that my code sends the protocol version, fitness sends back a message, and when I try to get this message
Read more

javascript - Classic ASP "ExecuteGlobal" statement acting differently on two servers -

-
I have a strange problem that I really do not know. In addition to developing a new ASP.NET site, I have to support the old "classic ASP" site. It is written in VBScript with a batch of JavaScript functions. Many of the JavaScript functions include 'files' Everything is fine on our production system (which security is controlled by another group - this is a military installation) Debugging them once did not work I). However, I have a fix for a vague bug that needs to be fully tested and some functions do not run under the "local" copy of the website that runs on my PC. For the record, I am running IIS 5.1 on XP. The problem is that some Javascript functions are running "OK" on the production server, but when they use it as a server, they are not defined on my PC what is happening that last Programmer, for some reason, has decided to put some functions in a series of files, which according to the observations, imitate the "need_once
Read more