如何正确进行私钥管理 [英] How to properly do private key management
问题描述
有没有人有实践经验或参考实施符合PCI DSS 安全标准?
Has anyone got practical experience or a reference for a scheme that implements a key management scheme that would comply with the PCI DSS security standard?
考虑到符合 PCI DSS 的公司数量,显然有相当多的实现,但试图找到它们的详细信息很困难.当谈到存储私人数据时,讨论通常会停止在使用哪种加密算法上.之后通常会有关于适当存储私钥的声明,但不会讨论实际操作方法或定期更改密钥或向应用程序提供密钥等.
There are obviously quite a few implementations around given the number of companies compliant with PCI DSS but trying to find details of them is tough. When it gets down to storing private data the discussion normally stops at which encryption algorithm to use. After that there's normally a statement about appropriately storing the private key but no discussion about practical ways to do it or things like periodically changing the key or providing the key to applications etc.
特别是我对 PCI DSS 标准第 3.5 和 3.6 节中的要求感兴趣.
Specificlly I'm interested in thee requirements from sections 3.5 and 3.6 of the PCI DSS standard.
3.5.2 以尽可能少的位置和形式安全地存储加密密钥.
3.5.2 Store cryptographic keys securely in the fewest possible locations and forms.
3.6.a 验证是否存在用于加密持卡人数据的密钥的密钥管理程序.注意:密钥管理的众多行业标准可从包括 NIST 在内的各种资源中获得,这些资源可以在 http://csrc.nist 上找到.政府.
3.6.a Verify the existence of key-management procedures for keys used for encryption of cardholder data. Note: Numerous industry standards for key management are available from various resources including NIST, which can be found at http://csrc.nist.gov.
3.6.4 确认已实施密钥管理程序,要求至少每年定期更换密钥.
3.6.4 Verify that key-management procedures are implemented to require periodic key changes at least annually.
我查看了 NIST 加密出版物作为 PCIDSS 要求文件建议但除了 加密密钥管理研讨会的最新说明 似乎没有多少真正可实施的方案或标准.
I've had a look at the NIST Cryptographic publications as the PCI DSS requirements document suggests but apart from recent notes of a Cryptographic Key Management Workshop there doesn't appear to be much there in the way of real implementable schemes or standards.
至于我想做的不是:
- 将密码 + salts 存储为一种用于身份验证的散列方式,
- 选择强对称算法进行数据加密,
- 首先避免需要存储私人数据.
- 避免需要使用其他机制进行密钥管理:物理安全、数据库安全、龙和向导等.
所有这些都是有效的问题,但在这种情况下不是答案.我的要求的具体细节在一个不同的 SO 问题 .Net 用于存储和检索每个用户敏感数据的设计模式 但这一切都归结为密钥管理,因此这是一个更精细的问题.
All of which are valid concerns but in this case are not the answer. The nuts and bolts of my requirements are in a different SO question .Net Design pattern for storing and retrieving sensitive per user data but it all boils down to key management hence this more refined question.
推荐答案
我很熟悉你正在经历的痛苦.我们努力将旧的 EFT 系统更新为 PCI 合规性.密钥管理当然是(从我的软件角度来看)最具挑战性的部分.
I'm familiar with the pain you're going through. We struggled to update an old EFT system towards PCI compliance. Key management was certainly (from my software point of view) the most challenging part.
我想我还偶然发现了 NIST 密钥管理建议 Martin 发布的,但由于缺乏具体示例而感到非常沮丧.
I think I also stumbled into the NIST Recommendations for Key Management that Martin posted, and got incredibly frustrated with the lack of concrete examples.
ANSI X9.17 - 金融机构密钥管理可能是最多的与您的需求相关,使用 PCI-DSS.祝你阅读愉快,该文件是大量 TLA 的集合,我知道我肯定很难阅读.(X9.17 每年更新,现在最新版本是:NIST SP 800-57 Pt. 1 Rev. 4 )
ANSI X9.17 - Financial Institution Key Management is probably the most relevant to your needs, with PCI-DSS. Good luck reading it though, the document is a massive collection of TLA's which I know I certainly struggled to read. (X9.17 is updated yearly, and latest version is now: NIST SP 800-57 Pt. 1 Rev. 4 )
当沮丧变成绝望时,我偶然发现了 The Electronic Money Mill 这是一个虚构的故事,有很多相关的技术参考.第17章 讨论 X9.17,可能有助于理解.
When frustration turned to desperation I stumbled into The Electronic Money Mill which is a fictional tale, with a good number of relevant technical references. Chapter 17 discusses X9.17 and may help with the understanding.
根据所有这些参考资料,我设计了一个让我们的审计师感到满意的关键管理系统.设计文档相当长,但总而言之,这个想法是您的数据加密密钥由密钥加密密钥保护,并且密钥加密密钥存储在一个物理上独立的盒子中,它本身由一个主密钥保护.
From all this reference material I designed a key management system that our auditor was pleased with. The design documents are fairly lengthy, but in summary the idea is that you have your Data Encrypying Key protected by a Key Encrypting Key, and the Key Encrypting Key is stored on a physically separate box, itself protected by a Master Key.
我的实现是在 Windows 机器上运行一个密钥服务器应用程序.此应用程序需要输入两个单独的密钥服务器主密钥"才能使用.这些密钥只有密钥服务器管理员知道.这些密钥被异或在一起以生成主密钥,该密钥仅在应用程序运行时存储在受保护的内存中.然后,应用程序可以自动生成加密强度高的密钥加密密钥,这些密钥使用主密钥以加密形式存储.
My implementation was to have a Key Server application running on a windows box. This application required entry of two separate 'key server master keys' before it could be used. These keys would be known only to the key server administrators. These keys are xor'd together to generate the Master Key, which is stored only in protected memory whilst the application is running. Application can then automatically generate cryptographically strong Key Encrypting Keys, which are stored in encrypted form using the Master Key.
需要加密的应用程序将向密钥服务器请求密钥加密密钥.应用程序使用 KEK 来加密/解密数据加密密钥,该密钥可以与应用程序数据一起安全地存储.
Applications that have a need for encryption will request a Key Encrypting Key from the Key Server. The KEK is used by the application to encrypt/decrypt the Data Encrypting Key, which can be stored securely with the application data.
祝你好运.我希望你也觉得这是一个有趣的挑战!
Good luck. I hope you also find it an interesting challenge!
这篇关于如何正确进行私钥管理的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
