PCI DSS compliance

Andreas Schwier andreas.schwier.ml at cardcontact.de
Fri Nov 11 13:36:26 CET 2016

The SmartCard-HSM supports n-of-m authentication using n out of m
"other" SmartCard-HSM cards/token to authenticate towards the device
with the private key. You need at least n authentication steps to enable
key access. Authentication is done using a public key based
challenge-response protocol, so that it also works remotely.

The scheme was specifically designed to provide shared control for
sensitive keys (like Root-CA keys).

The SmartCard-HSM is supported by gpgsm, however there is currently no
support for n-of-m build into scdaemon.


On 11/11/2016 12:12 PM, Peter Lebbing wrote:
> Disclaimer: I know nothing about these compliance issues.
>> Our company must decrypt ~100 files 7x24 in near real time. How can SSSS
>> work - or any reasonable alternative - in such a production environment?
> Couldn't you simply password protect the key and unlock it when the
> server boots, with several admins entering a part of the password?
> Alternatively, to use SSSS, you could wire up an SSSS implementation to
> a pinentry, so you don't need specific admins but use any X of Y of
> them. In this case, I suggest you use a randomly generated "passphrase"
> for the GnuPG key. If you want to make your implementation real shiny,
> you could store the actual shares encrypted, with each admin having the
> possibility of choosing their own decryption password, so they don't
> have to learn a seemingly random number.
> To clarify, I mean you write the pinentry implementation and use an
> already written SSSS implementation. This pinentry is then invoked when
> you gpg-preset-passphrase the passphrase during boot of the server.
> Just an idea,
> Peter.


    ---------    CardContact Systems GmbH
   |.##> <##.|   Schülerweg 38
   |#       #|   D-32429 Minden, Germany
   |#       #|   Phone +49 571 56149
   |'##> <##'|   http://www.cardcontact.de
    ---------    Registergericht Bad Oeynhausen HRB 14880
                 Geschäftsführer Andreas Schwier

More information about the Gnupg-users mailing list