IT Security

Key Management Checklist

Table of Contents
General.............................................................................................................................................. 2
Security Concept 1 : Format of Keys................................................................................................. 2
Security Concept 2 : Dual Control / Split Knowledge.........................................................................2
Security Concept 3 : Secure Key Creation......................................................................................... 3
Security Concept 4 : Secure Loading of Keys....................................................................................3
Security Concept 5 : Non-disclosure of Keys.....................................................................................4
Security Concept 6 : Key Life Span................................................................................................... 4
Security Concept 7 : Prevention and Detection of Unauthorised Use................................................4
Security Concept 8 : Compromise of Keys........................................................................................ 4
Security Concept 9 : Backup and Recovery.......................................................................................5
Security Concept 10 : Destruction of obsolete Keys..........................................................................5

IT Security
Key Management Checklist
General

The need for encryption has been determined by the owners of information.
Whenever encryption is used, the Organization personnel have not deleted the
sole readable version of data before first demonstrating that the encryption
process is able to re-establish a readable version of the data
Encryption Schemes
The following encryption schemes may be made use of. Sometimes
combinations of schemes are used and all aspects of these schemes must
be adhered to. Which scheme has been implemented?
Symmetric, i.e. DES, Triple DES, AES
Asymmetric, i.e. RSA, PKA
DUKPT
Certificates
Encryption Algorithms
The encryption made use of is an approved, commercially available
algorithm and has been implemented as recommended.
A proprietary algorithm has been made use of and has been approved by IT
Security.
The viability of the selected encryption process has been satisfactorily
demonstrated before its implementation in a production environment

Security Concept 1 : Format of Keys

The cryptographic key only exists in the following forms :
Encrypted;
in a Tamper-Resistant Security Module (TRSM) or in a minimum-acceptable PIN
Entry Device;
In at least two components, where every bit of the key depends, independently,
on every other bit of the key;
Symmetric Master Keys are a minimum of 32 characters (double length).
Symmetric Key Encrypting Keys or Zone Control Master Keys are a minimum of 32
characters (double length).
Symmetric Working Keys are 16 characters in length. Where the encryption device
is able to support double length keys, these keys are 32 character keys be
generated.
All Pin Protection Keys are 32 characters (double length).
Asymmetric key pairs are 128 bytes in length.
Seed Keys for DUKPT are 32 characters (double length).
Where the manual entry of key values is required, the clear text key exists in the
form of two or more components.
Cleartext keys, that is, keys that are either not encrypted or that are not maintained
under the principles of dual control and split knowledge, only exist inside a Tamper
Resistant Security Module (TRSM) that is also physically secure.
If encryption is used to protect sensitive data resident on computer storage media,
the encryption keys and related encryption key controls (initialisation vectors, timeand-date stamps, parameters, etc.) used in the encryption process are not stored
anywhere on this storage media in unencrypted form.

Security Concept 2 : Dual Control / Split Knowledge

Established procedures, which prohibit any one individual from having access to all
components of an encryption key, have been followed.

IT Security
Key Management Checklist
The keys, when loaded from the individual key components, was carried out under
dual control and split knowledge.
Until the key components have been cryptographically secured, they have been
maintained using the principles of dual control and split knowledge
Individuals entrusted with a key component have ensured that no person (not
similarly entrusted with that component) can observe or otherwise ascertain the
component before, during or after key loading.
Each key component is in the physical possession of only one person or group of
persons considered trustworthy and so authorised. The person or group of persons
have been instructed to keep secret the component entrusted to them;
A single component must never be in the physical possession of a person or group
of persons when any one such person is or ever has been similarly entrusted with
any other component of this key.
If the component is not in human readable form (for example, in a PROM module), it
must be in the physical possession of only one person or group of persons and for
the minimum practical time.
If the component is in human readable form (for example, printed, as within a
secure mailer), it must be known to only one person (or alternate) and only for the
duration of time required for this person to enter the key component into a TRSM or
a minimum-acceptable PIN Entry Device;
Each component of the key was generated and stored by a separate person

Security Concept 3 : Secure Key Creation

The keys have been created using a random or pseudo-random process.
New cryptographic keys were not created by copying an existing key, resulting in the
new key being equal to an existing cryptographic key.
A replacement cryptographic key is not a variant of the original key, nor an
irreversible transformation of the original key.
Knowledge of one cryptographic key will not provide any information about another
cryptographic key.
An encryption key, typically Key Encryption Keys, has been transferred by physically
forwarding the separate hard copy components of the key using different
communication channels, different personnel or transmitted in ciphertext form.
The asymmetric private key has been generated on the system it is to be used on.
The Seed Key is injected into the POS or terminal in a Trusted Centre, or in a
trusted manner.
The Seed Key has not been viewed in the clear during the installation process.

Security Concept 4 : Secure Loading of Keys

All high level key loading procedures have been created to be consistent with the
key loading requirements of the hardware processing software and unique security
features of the hardware security module used for hardware security.
Any EPROMS and EEPROMS used in loading encryption keys have been
maintained using the same controls applied for maintaining the security of the hard
copy key parts
All hardware used in the key loading function is controlled and maintained in a
secure environment.
Use of the key loading equipment is monitored and a log of all key-loading activities
maintained for audit purposes.
All cable attachments are examined before each application to ensure that there
has been no tampering.
If the interface is available, all Keys have been stored and distributed using the
Organizations approved Distributed Key Management System (DKMS).

IT Security
Key Management Checklist

Security Concept 5 : Non-disclosure of Keys

Working Keys will not exist outside a TRSM in any form other than as a cryptogram.
All keys managed at the processing level are stored encrypted under the host
Master Key or maintained in the hardware security module.
The asymmetric private key has been secured by a Tamper Resistant Security
Module
All WKs or SKs electronically conveyed between two organisations are encrypted
under a KEK or ZCMK.
If two organisations share a key to encrypt Pins communicated between them, this
key is unique to those two organisations and has not been given to any other
organisation
Any Zone Control Master Key and PIN Encryption Key used in the encryption of the
transaction PIN in other than a PIN Entry Device is only known at the two locations:
where the key or PIN is encrypted and where it is decrypted.
Any key used to encrypt a PIN in a minimum-acceptable PIN Entry Device is only
known in that device and in security modules at the minimum number of facilities
consistent with effective system operations.
The keys have not been shared by or substituted in both processors production and
test systems.
The asymmetric private key has not been copied to another system.
A key used to encrypt a PIN, or protect the PIN encryption key, has never been
used for any other cryptographic purpose
If both data encryption and message authentication codes (MACs) are used,
separate keys have been used for each of these two control measures.

Security Concept 6 : Key Life Span

Symmetric Keys will be changed as follows :
Master keys will be changed on an annual basis.
Zone Control Master Keys or Key Encrypting Keys will be changed on an
annual basis.
Working keys, or Session keys will be changed every 24 hours or 2500
transactions, whichever condition occurs first.
The Mac and Pin keys in DUKPT scheme will be changed in every transaction.
Asymmetric Keys will be changed every 2nd year.

Security Concept 7 : Prevention and Detection of Unauthorised Use

The unauthorised substitution of one stored key for another, whether encrypted or
unencrypted, has been prevented.
Audits and controls have been imposed on the individuals who manage the keys
and cryptographic devices.
Periodic inspections have been performed on the cryptographic interfaces making
use of encryption keys to ensure that bugs and taps have not been
installed
Control and auditing has been implemented to ensure that any cryptographic device
cannot be removed without the appropriate authority granted.

IT Security
Key Management Checklist
Security Concept 8 : Compromise of Keys
The original key compromised has been replaced with a new one.
The new key has replaced all keys encrypted under or derived from the
compromised key.
All data protected by the compromised key has been transformed to be encrypted
under the new key.

Security Concept 9 : Backup and Recovery

As a backup procedure, clear key components have been separately stored in a
safe, which is governed by dual key holders, and access control and the necessary
audit logs (of access to the safe) are maintained.
The back up of asymmetric private key has been encrypted or protected by a
password.
All general-purpose encryption systems used to protect the Organization data held
in storage have key escrow features that allow management to decrypt the
protected files

Security Concept 10 : Destruction of obsolete Keys

Keys that are no longer used or that have been replaced by a new key have been
destroyed except in the cases where Key Escrow is required.
A third party, who is not the key custodian, observed the destruction of keys.
All Keys have been destroyed as follows :
If the key is maintained on paper, burning or shredding destroyed the key.
If the key is stored on an EEPROM, the key was overwritten with binary 0s a
minimum of three times.
If the key is stored on an EPROM or PROM, the chip was smashed into many
small pieces and scattered.
Printer ribbons etc, which is used for the printing of Keys and Pins were
removed from the printer and destroyed on a regular basis.