PCI DSS compliance
andreas.schwier.ml at cardcontact.de
Fri Nov 11 13:36:26 CET 2016
The SmartCard-HSM supports n-of-m authentication using n out of m
"other" SmartCard-HSM cards/token to authenticate towards the device
with the private key. You need at least n authentication steps to enable
key access. Authentication is done using a public key based
challenge-response protocol, so that it also works remotely.
The scheme was specifically designed to provide shared control for
sensitive keys (like Root-CA keys).
The SmartCard-HSM is supported by gpgsm, however there is currently no
support for n-of-m build into scdaemon.
On 11/11/2016 12:12 PM, Peter Lebbing wrote:
> Disclaimer: I know nothing about these compliance issues.
>> Our company must decrypt ~100 files 7x24 in near real time. How can SSSS
>> work - or any reasonable alternative - in such a production environment?
> Couldn't you simply password protect the key and unlock it when the
> server boots, with several admins entering a part of the password?
> Alternatively, to use SSSS, you could wire up an SSSS implementation to
> a pinentry, so you don't need specific admins but use any X of Y of
> them. In this case, I suggest you use a randomly generated "passphrase"
> for the GnuPG key. If you want to make your implementation real shiny,
> you could store the actual shares encrypted, with each admin having the
> possibility of choosing their own decryption password, so they don't
> have to learn a seemingly random number.
> To clarify, I mean you write the pinentry implementation and use an
> already written SSSS implementation. This pinentry is then invoked when
> you gpg-preset-passphrase the passphrase during boot of the server.
> Just an idea,
--------- CardContact Systems GmbH
|.##> <##.| Schülerweg 38
|# #| D-32429 Minden, Germany
|# #| Phone +49 571 56149
|'##> <##'| http://www.cardcontact.de
--------- Registergericht Bad Oeynhausen HRB 14880
Geschäftsführer Andreas Schwier
More information about the Gnupg-users