IBM Systems Magazine Mainframe Demo - (Page 42)

Technical Corner An in-depth look at programming, systems operations and more Protect Confidential Information With Ecryption-Key Management By Jim ScheSvold A s I f i r st got i nvolved i n pay ment-ca rd industry (PCI) compliance, encryption keys and the term “encryption-key management” seemed trivial compared with the large amounts of application modifications, file restructuring, security infrastructure tailoring, reporting changes and related activities involved in PCI compliance implementation. Nothing could be further from the truth. In terms of planning, protection, coordination and distribution, encryption-key management was one of the most challenging—if not the most challenging— aspects of PCI compliance. That’s because the name encryption key is an apt one. It’s very much the key to the kingdom. Here are some important considerations for establishing an encryption-key management framework: • Whether symmetric or asymmetric encryption keys are used, based on the choice of encryption algorithm, which depends on encryption granularity • Frequency of changing encryption key • Who controls and performs encr y ption-key generation, expiration dates and distribution • Encryption-key security, including storage location, format, access and what forensic data is needed • How to handle cardholder data (CHD) encrypted with an old encryption key • Distribution method (FTP, SSL, hand delivery or API) and whether it should be encrypted for transmission • W hat processes a r e needed to coord i nate encryption-key cutover between cryptographic partners • Deactivation method for the old encryption key distribute encryption keys (although security standards may force the choice). Cryptography that uses a single encryption key to encrypt and decrypt data is called symmetric-key cryptography. Asymmetric key cryptography uses one encryption key to encrypt data and another to decrypt it. Sy m met r ic-ke y cr y ptogr aphy i s a lso ca l led private-key cryptography, and asymmetric cryptography is referred to as public-key cryptography, but that isn’t always true. Especially in the case of public-key cryptography, both symmetric and asymmetric encryption keys may be used. While not always used, public-key decr yption lends itself to situations where an entire f ile is encrypted, not just certain records within the file or specific fields within records. So when encrypting an entire file on one end and decrypting it on the other is a concern (this can add significant overhead if only 16 to 30 characters per record must be encr y pted in a large f ile with long records), symmetric-key cryptography may be desirable. And symmetric-key cryptography usually necessitates encryption-key distribution. Symmetric vs. Asymmetric Encryption-Key Use The choice between a symmetric or asymmetric encr y pt ion key deter m i nes whet her you must 42 ibmsystemsmag.com/mainframe Frequency of Encryption-Key Cutover PCI compliance requires that all encryption keys used in CHD cryptography be changed at least annually. In many or most cases, that requirement determines the encryption-key cutover interval. However, for security reasons or due to security standards, the interval may be shorter. Additional considerations are how large an effort an encryption-key cutover is and how high the risk of CHD theft is. Generally, the more places in an organization where encryption-key cutover is required, the greater the effort. And the higher the volume of credit-card transactions, the higher the risk of CHD theft. http://www.ibmsystemsmag.com/mainframe

Table of Contents for the Digital Edition of IBM Systems Magazine Mainframe Demo

IBM Systems Magazine Mainframe Demo
Contents
Editor's Desk
Trends
Focus on Storage
Mid-Size Iron
Welcome to Storage 2.0
Tech Corner
Stop Run

IBM Systems Magazine Mainframe Demo

https://www.nxtbookmedia.com