peemousse
01-09-2009, 04:25 AM
Hello,
background
I'm currently in charge of the PCI compliance for my company. I have some question related to requirement 3 and the encryption/key management part.
I've read a lot in various forums devoted to PCI compliance, but I'm having a hard time figuring out how to implement a compliant solution.
To give you the background:
- we have a website where customers enter their personal information (PAN, Name etc...)
- those data are stored on a MSSQL database.
The data stored in the MSSQL database are encrypted using column encryption (using AES).
This solution is obviously not compliant because the encryption key is generated on the server and the key management is non-existent.
question
Basically, what is the most simple, straightforward, and common way to encrypt PAN data on MSSQL in a way that is PCI compliant ?
work in progress
Use StrongKey (there is an excellent topic here: http://www.strongauth.com/forum/index.php?topic=44.0).
It might take time to implement and it might need some modification on our web application, so development time as well...
We might need to buys HSM for the servers who don't have a TPM integrated.
Use an Appliance (to generate, store, distribute the keys...)
It seems to be the easiest way if we don't have budget issue, which we don't have...
Any recommendation on a good products for key management?
What would be the cost of such applicance?
It seems to be best solution for the long term...
I don't think MSSQL 2005 have the ability to have the cryptographic key hierarchy to be managed by an external source such as Hardware Security Module (HSM)... so I guess the encryption will have to be done on the webapplication... and then stored in the DB... is that correct?
Home made solution
I was thinking of the following scenario:
- two random strings are generated on openssl for example using a livecd.
- the two strings are XOR to produce a symmetric key (DEK, dual control and split knowledge?)
- use this key as a symetric key for the database (i'm not sure how it exactly work... I'm a bit confused with the database master key?).
- use asymetric encryption to encrypt the two random strings(KEK1 and KEK2) used to produce the DEK.
- put KEK1 and KEK2 on usbkey, for example and lock them in the company safe in two different boxes (how to manage to private Keys?)
Then change the symmetric key used annualy like recommended.
Does this last scenario make sense?
The Symmetric Key will be entered manually at some point in the database... i'm not a DBA and my knowledge is limited on MSSQL administration, is there any recommendation to achieve this the right way?
Like you see I'm quite confused and would appreciate some insight and recommendation.
Thanks for your help.
ps: yes we need to store the card holder data :)
background
I'm currently in charge of the PCI compliance for my company. I have some question related to requirement 3 and the encryption/key management part.
I've read a lot in various forums devoted to PCI compliance, but I'm having a hard time figuring out how to implement a compliant solution.
To give you the background:
- we have a website where customers enter their personal information (PAN, Name etc...)
- those data are stored on a MSSQL database.
The data stored in the MSSQL database are encrypted using column encryption (using AES).
This solution is obviously not compliant because the encryption key is generated on the server and the key management is non-existent.
question
Basically, what is the most simple, straightforward, and common way to encrypt PAN data on MSSQL in a way that is PCI compliant ?
work in progress
Use StrongKey (there is an excellent topic here: http://www.strongauth.com/forum/index.php?topic=44.0).
It might take time to implement and it might need some modification on our web application, so development time as well...
We might need to buys HSM for the servers who don't have a TPM integrated.
Use an Appliance (to generate, store, distribute the keys...)
It seems to be the easiest way if we don't have budget issue, which we don't have...
Any recommendation on a good products for key management?
What would be the cost of such applicance?
It seems to be best solution for the long term...
I don't think MSSQL 2005 have the ability to have the cryptographic key hierarchy to be managed by an external source such as Hardware Security Module (HSM)... so I guess the encryption will have to be done on the webapplication... and then stored in the DB... is that correct?
Home made solution
I was thinking of the following scenario:
- two random strings are generated on openssl for example using a livecd.
- the two strings are XOR to produce a symmetric key (DEK, dual control and split knowledge?)
- use this key as a symetric key for the database (i'm not sure how it exactly work... I'm a bit confused with the database master key?).
- use asymetric encryption to encrypt the two random strings(KEK1 and KEK2) used to produce the DEK.
- put KEK1 and KEK2 on usbkey, for example and lock them in the company safe in two different boxes (how to manage to private Keys?)
Then change the symmetric key used annualy like recommended.
Does this last scenario make sense?
The Symmetric Key will be entered manually at some point in the database... i'm not a DBA and my knowledge is limited on MSSQL administration, is there any recommendation to achieve this the right way?
Like you see I'm quite confused and would appreciate some insight and recommendation.
Thanks for your help.
ps: yes we need to store the card holder data :)