3.7.6 Split knowledge and dual control for manual key management operations

Defined Approach Requirements

3.7.6 Where manual cleartext cryptographic key-management operations are performed by personnel, key-management policies and procedures are implemented, including managing these operations using split knowledge and dual control.

Customized Approach Objective

Cleartext secret or private keys cannot be known by anyone. Operations involving cleartext keys cannot be carried out by a single person.

Applicability Notes

This control is applicable for manual key-management operations.

A cryptographic key that is simply split into two parts does not meet this requirement. Secret or private keys stored as key components or key shares must be generated using one of the following:

• Using an approved random number generator and within a secure cryptographic device (SCD), such as a hardware security module (HSM) or PTS-approved point-of-interaction device,

OR

• According to ISO 19592 or equivalent industry standard for generation of secret key shares.

Defined Approach Testing Procedures

3.7.6.a Examine the documented key-management policies and procedures for keys used for protection of stored account data and verify that they define using split knowledge and dual control.

3.7.6.b Interview personnel and/or observe processes to verify that manual cleartext keys are managed with split knowledge and dual control.

Purpose

Split knowledge and dual control of keys are used to eliminate the possibility of a single person having access to the whole key and therefore being able to gain unauthorized access to the data.

Definitions

Split knowledge is a method in which two or more people separately have key components, where each person knows only their own key component, and the individual key components convey no knowledge of other components or of the original cryptographic key.

Dual control requires two or more people to authenticate the use of a cryptographic key or perform a key-management function. No single person can access or use the authentication factor (for example, the password, PIN, or key) of another.

Good Practice

Where key components or key shares are used, procedures should ensure that no single custodian ever has access to sufficient key components or shares to reconstruct the cryptographic key. For example, in an m-of-n scheme (for example, Shamir), where only two of any three components are required to reconstruct the cryptographic key, a custodian must not have current or prior knowledge of more than one component. If a custodian was previously assigned component A, which was then reassigned, the custodian should not then be assigned component B or C, as this would give the custodian knowledge of two components and the ability to recreate the key.

Examples

Key-management operations that might be performed manually include, but are not limited to, key generation, transmission, loading, storage, and destruction.

Further Information

Industry standards for managing key components include:

• NIST SP 800-57 Part 2, Revision 1 -- Recommendation for Key Management: Part 2 -- Best Practices for Key Management Organizations [4.6 Keying Material Distribution]
• ISO 11568-2 Banking — Key management (retail) — Part 2: Symmetric ciphers, their key management and life cycle [4.7.2.3 Key components and 4.9.3 Key components]
• European Payments Council EPC342-08 Guidelines on Cryptographic Algorithms Usage and Key Management [especially 4.1.4 Key installation].