PaulDotCom mailing list archives
Crypto Key Management Process?
From: chris.biettchert at gmail.com (Chris Biettchert)
Date: Tue, 24 Mar 2009 18:37:01 -0700
The individual crypto requirements for PCI aren't going to help you very much as they are the following: 3.5 Protect cryptographic keys used for encryption of cardholder data from disclosure and misuse. 3.6 Fully document and implement all appropriate key management processes and procedures for cryptographic keys used for encryption of cardholder data. The NIST guide (SP800-57) is a little better depending on your current crypto knowledge. Also, unless you have specific needs to be FIPS 140 compliant, buy the non-fips version of hardware/software. It will save you a lot. 2009/3/22 Jason Wood <tadaka at gmail.com>
Thanks for the reply guys. I've taken John's idea and used the NIST guide as a reference while following PCI's individual crypto requirements. So far its going ok. Chris, your point is well taken about the technology to back up the process. I'm trying to tackle the process right now, but I'm checking out HSMs too. There's a lot to do and this is only one of them. Thanks for the help. Jason 2009/3/21 Chris Biettchert <chris.biettchert at gmail.com> What type of application is it? Key management policies are great but youalso need to be sure that the system is designed/developed to withstand attacks. I would start by using well known and trusted implementations of crypto libraries. Keyczar can simplify the implementation and help you avoid errors. Since Steve Weis, Ben Laurie, etc worked on it, I would be more confident in using it than rolling your own crypto wrapper. You will also probably want to purchase an HSM. There are several vendors and price really depends on feature set/required load. If this is going to be used to encrypt e-commerce transactions or someting similar, expect to pay quite a bit to get an HSM that can keep up with the load but a smaller HSM should be within budget of most projects. 2009/2/19 John Fiedler <johnfiedler at gmail.com> Hi Jason,You should take a peek at the PCI Requirements, they have some decent requirements for companies handling keys used to encrypt credit card numbers. This might not be exactly what your looking for what it might help some. https://www.pcisecuritystandards.org/security_standards/pci_dss_download.html Look at requirements 3.6.x John 2009/2/18 Jason Wood <tadaka at gmail.com>Hi all, I'm doing some reading on doing key management for a project and was wondering what has worked for others. I'm currently reading my way through NIST's guidelines. Does anyone have a document, book, paper, etc that helped them build a secure key management process? Thanks, Jason _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com-- John _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
-------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090324/18659723/attachment.htm
Current thread:
- Crypto Key Management Process? Jason Wood (Feb 18)
- Crypto Key Management Process? John Fiedler (Feb 19)
- Crypto Key Management Process? Chris Biettchert (Mar 21)
- Crypto Key Management Process? Jason Wood (Mar 22)
- Crypto Key Management Process? MV (Mar 23)
- Crypto Key Management Process? Chris Biettchert (Mar 24)
- Crypto Key Management Process? Chris Biettchert (Mar 21)
- Crypto Key Management Process? John Fiedler (Feb 19)