I am the Gatekeeper. Are you the Keymaster?
In the 1984 Movie Masterpiece Ghostbusters, Gozer the Gozerian, an ancient, ultra-powerful, malignant entity from another dimension, was summoned to New York City to destroy the world. Gozer had two minions: Vinz Clortho, the Keymaster, and Zuul, the Gatekeeper.
In the movie, the two minions protecting their god were equally powerful and it was only thanks to the team play of Eagon, Ray, Venkman, and Winston that Gozer was defeated.
The question is: what does this have to do with PCI-DSS?
Well, if you think about Gozer as the Cardholder Data (CHD), The Gatekeeper as Key-Encrypting Key and The Keymaster as the Data-Encrypting Key, you might learn a good analogy.
PCI-DSS 3.1 requirement 3.5.2 and more specifically its sub-requirement 3.5.2.c says:
3.5.2.c Wherever key-encrypting keys are used, examine system configurations and key storage locations to verify:
- Key-encrypting keys are at least as strong as the data-encrypting keys they protect
- Key-encrypting keys are stored separately from data-encrypting keys
Gatekeeper and Keymaster were two separate entities, you could not access the magical dimension of Gozer without both of them. Additionally, the Gatekeeper was as strong as the Keymaster and only the presence of both allowed the opening of the Gates of Vuldronaii..:)
What does it mean in PCI-DSS terms?
Even if you are using a protocol for encrypting the data-encrypting keys and another protocol for encrypting data, they must be at least equally strong. How do you consider them equally strong? Well, it is up to common-sense and cryptographic knowledge, let’s say you are using AES-128 bit key for CHD encryption and 3DES-168 for encrypting the data-encrypting key. This can be acceptable, since 3DES is still considered strong cryptography, and difficult to crack, due to the 2112 (they should be 168, but due to meet-in-the middle attack the security effectiveness is reduced to 112 bit) operations required to discover the key (which nowadays is still quite a lot) and as long as you encrypt maximum 32 GB of data with the same key.
Additionally, you have to store them in two logical and/or physically separate places. Gozer stored them in two separate physical entities.
I find that due-diligence and due-care in such a case would be demonstrated and the requirement would be satisfied and the gates of Vuldronaii well protected.
What do you think?
If you want to dig down a little bit deeper in cryptography and its history, here follows a couple of references:
- The Code Book: The Science of Secrecy from Ancient Egypt to Quantum Cryptography, by Simon Singh