4

I'm developing a solution that is designed to store membership details, as well as credit card details. I'm trying to comply with PCI DSS as much as I can. Here is my design so far:

PAN = Primary account number == long number on credit card

  • Server A is a remote server. It stores all membership details (Names, Address etc..) and provides indivudal Key A's for each PAN stored
  • Server B is a local server, and actually holds the encrypted PANs, as well as Key B, and does the decryption.

To get a PAN, the client has to authenticate with BOTH servers, ask Server A for the respective Key A, then give Key A to server B, which will return the PAN to the client (provided authentication was sucessful). Server A will only ever encrypt Key A with Server B's public Key, as it will have it beforehand. Server B will probably have to send a salt first though, however I doin't think that has to be encrypted

I havn't really thought about any implementation (i.e. coding) specifics yet regarding the above, however the solution is using Java's Cajo framework (wrapper for RMI) so that is how the servers will communicate with each other (Currently, membership details are transfered in this way).

The reason why I want Server B to do the decryption, and not the client, is that I am afraid of decryption keys going into the client's RAM, even though it's probably just as bad on the server...

Can anyone see anything wrong with the above design? It doesn't matter if the above has to be changed.

Thanks

jtnire

jtnire
  • 1,348
  • 5
  • 21
  • 32
  • I should probably add, that Server B will require 2 factor authentication (keyfile/password) to mount the drive (it will have full disk encryption), and also will require 2 factor authentication to login to the console. The keyfile and password will be held by 2 different people. – jtnire Mar 24 '10 at 11:03
  • Someone suggested that I make the storage server seperate from the server that does the encryption/decryption. This seems like a really good idea. My only concern would be that how does the storage server know only to communicate with the encryption/decryption server? Key Pairs? – jtnire Mar 24 '10 at 11:51

3 Answers3

6

As a preface, you're going to have a nightmare of a time developing this and going through PCI compliance. It would definately be worth considering alternatives, such as using a Payment Service Provider that can store these card details for you, and perform ad-hoc authorisation/settlement using Token Ids (rather than keying them in through a 'dialup credit card machine' that you described)

If you chose to ignore that advice and go the PCI route, then at least make sure to get a PCI approved Qualified Security Assesor (QSA) involved as early as possible, to approve of whatever designs you come up with. PCI isnt something you should 'try to comply with as much as you can', its an all or nothing thing unfortunately!

That said though, one way to tackle this would be to have a key serving application running on box A. This application requires entry of two 'key administration' keys, which when xor'd together form a Master Key. Master Key is only ever stored in RAM, never persisted to disk.

The application generates Key Encrypting Keys, which are stored on box A, encrypted by the Master Key. The KEK is generated automatically (its not something that a user keys in). The KEK can be persisted to disk on box A, encrypted by the Master Key.

Card details are stored on box B. This box also stores the Data Encryption Key, which is used to perform symmetric encryption of the card details. The DEK is itself stored in an encrypted format, encrypted with the Key Encrypting Key from box A.

The application that performs encryption/decryption should be on box B, and authenticate itself to box A before requesting the KEK. The KEK is then used to decrypt the DEK, and encryption/decryption can then take place.

PaulG
  • 13,871
  • 9
  • 56
  • 78
  • Thanks for the advice. Unfourtunately, getting a 3rd payment provider isn't an option in this case. That's a good way to go about it. Is there any way to avoid box B communicating directly with box A? Like could this "authentication" could through the client? Reason being is that I have additional controls in place that would prevent box B accessing any machines not on the network. – jtnire Mar 24 '10 at 13:14
  • Oh and once both administartors have entered their keys into box A, that machine can run without any intervention, right? (Until the next reboot of course) – jtnire Mar 24 '10 at 13:17
  • And I'm guessing the DEKs are made automatically by box B, for each record stored? Also, is there anything wrong with my plan above? I'm not saying mine is correct (I don't know), but where does the fault lie? Thanks – jtnire Mar 24 '10 at 13:20
  • BTW, I think Box A, as you have described above, is exactly what StrongKey does, so maybe I could use that?? – jtnire Mar 24 '10 at 13:22
  • 2
    Key management is (as you see from the flood of questions!) a massively complicated subject. http://stackoverflow.com/questions/1583553/how-to-properly-do-private-key-management has some reference material, but the best advice I already gave - get a QSA involved asap. They will help, and ultimately its their advice you need to follow – PaulG Mar 24 '10 at 13:41
  • StrongAuth have released a new product, that does all that for you. It's all in one box. Do you think I could go with that, to save me the hassle? http://www.strongauth.com/index.php?option=com_content&task=view&id=91&Itemid=26 – jtnire Mar 24 '10 at 14:07
  • Im familiar with Strongkey, and its pretty well respected. Bonus is that it has a Java client library. Check with your QSA for a final verdict though. – PaulG Mar 24 '10 at 14:39
  • How does Strongkey work, compared to your description of "Box A"? I can't seem to find anywhere one their site that tells me this. Their "How StrongKey Works page" doesn't really talk about how keys are managed – jtnire Mar 24 '10 at 15:52
  • It uses hardware (HSM/TPM) instead of a seperate physical box. There's a good explanation here: http://www.strongauth.com/index.php?option=com_content&task=view&id=94&Itemid=94#8 – PaulG Mar 24 '10 at 17:04
1

If Server A is hacked - this meansI baically can still get all credit cards in clear text, or? I have access then to all individual KEY a information that i need to access every credit card.

TomTom
  • 61,059
  • 10
  • 88
  • 148
0

You might be interested in reading the Bytemark Blog entry on how they store credit card information.

The gist is that the server holding the card information will not divulge the numbers; the allowed operations are "Add new card", "Update or remove existing card" and "Charge a card" -- the server connects to the payment processor itself.

Andrew Aylett
  • 39,182
  • 5
  • 68
  • 95