The SmartCard-HSM supports n-of-m authentication using n out of m
"other" SmartCard-HSM cards/token to authenticate towards the device
with the private key. You need at least n authentication steps to enable
key access. Authentication is done using a public key based
challenge-response protocol, so
On 10/11/16 16:24, helices wrote:
> Our company must decrypt ~100 files 7x24 in near real time.
Upon reflection, isn't this complaince issue for key management, like
subkey creation, setting of expiry, stuff like that, rather than decryption?
It seems like stuff you need the primary key for, wher
Disclaimer: I know nothing about these compliance issues.
> Our company must decrypt ~100 files 7x24 in near real time. How can
> work - or any reasonable alternative - in such a production environment?
Couldn't you simply password protect the key and unlock it when the
server boots, with se
I think this is where you want to look into a Hardware Security Module
(HSM) or a solution like Hashicorp's Vault server. The split secret would
be used to initialize either of those solutions (Vault uses split keys to
unseal the server out of the box, and can even encrypt those shares to
several d
Il 10/11/2016 16:24, helices ha scritto:
> Our company must decrypt ~100 files 7x24 in near real time. How can
> work - or any reasonable alternative - in such a production environment?
Wouldn't a smartcard solve (at least partially) the issue?
Insert it in a pinpad reader and have the PIN sh
<
kristian.fiskerstr...@sumptuouscapital.com> wrote:
> On 11/10/2016 03:50 PM, helices wrote:
> > So would I!
> >
> > At this point, our company must achieve PCI DSS compliance before year
> end,
> > and the road to that necessity leads through this auditor, who
On 11/10/2016 03:50 PM, helices wrote:
> So would I!
>
> At this point, our company must achieve PCI DSS compliance before year end,
> and the road to that necessity leads through this auditor, who insists that
> PGP satisfies all requirements.
>
> There is no explanation t
So would I!
At this point, our company must achieve PCI DSS compliance before year end,
and the road to that necessity leads through this auditor, who insists that
PGP satisfies all requirements.
There is no explanation that he shares with us.
~ Mike
On Thu, Nov 10, 2016 at 8:27 AM, Mark H
I would be interested to hear this auditor's explanation of how *any*
completely automated software system can protect private keys from a
human with access to the system.
--
Mark H. Wood
Lead Technology Analyst
University Library
Indiana University - Purdue University Indianapolis
755 W. Michig
Yes, our company has been doing all four of your suggestions for years,
including written policies and procedures, and we passed all prior years of
PCI DSS auditing without incident.
Near as I can tell, nothing has changed in this regard in PCI DSS standards
in the last twelve months, to which our
Probably out-of-scope for this list but, if the process is automated you'd
want to reduce the number of people with access to the keys to only staff
with need-to-know. Usually that translates to IT support / administrators.
Beyond that safeguards against people (specifically administrators) cannot
During our current annual PCI DSS audit, our auditor complains that a human
being can access the company's private key and, thus, a human being can
decrypt sales files containing credit card information.
All production processes are fully automated and run as non-privileged user.
We use GPG encry
During our current annual PCI DSS audit, our auditor complains that a human
being can access the company's private key and, thus, a human being can
decrypt sales files containing credit card information.
All production processes are fully automated and run as non-privileged user.
We use GPG encry
13 matches
Mail list logo
