I am familiar with the pain you go through. We tried to upgrade the old EFT system to meet PCI requirements. Key management was, of course, (from my point of view of software) the most difficult part.
I think I also stumbled upon the NIST recommendations for key management that Martin published, and was incredibly disappointed with the lack of concrete examples.
ANSI X9.17 - Managing key financial institutions is probably most suitable for your needs, with PCI-DSS. Good luck reading it, though, the document is a massive TLA collection that I know, of course I tried my best to read.
When disappointment turned into despair, I stumbled upon The Electronic Money Mill , which is a fictional tale with a lot of relevant technical links. Chapter 17 discusses X9.17 and can help with understanding.
From all this reference material, I developed a key management system that our auditor satisfied. The design documentation is quite long, but it seems that the idea is that you have a data encryption key protected by a key encryption key, and the key encryption key is stored on a physically separate box, which itself is protected by a master key.
My implementation was for the Key Server application to run in a Windows window. This application required the input of two separate โkey server key keysโ before it could be used. These keys will be known only to administrators of key servers. These keys are combined to generate a master key, which is stored only in protected memory while the application is running. The application can then automatically generate cryptographically strong Key Encrypting Keys, which are stored in encrypted form using the master key.
Applications that require encryption will request the encryption key from the key server. KEK is used by the application to encrypt / decrypt the data encryption key, which can be safely stored with the application data.
Good luck. I hope you will also find the task interesting!
PaulG Oct 18 '09 at 10:54 2009-10-18 10:54
source share