Suitable key management procedures must be defined and implemented by the user. In some cases key management requirements are dictated by card schemes or other authorities such as a central bank. Also some aspects of key management, such as the replacement of terminal keys, may be automated within an application.
Key Generation
Where the HSM is used to perform operations on keys that were not generated at an HSM, checks must be made to validate the quality of the external key generation system.
Recommendations for key generation are as follows:
1. Keys that are not generated by the HSM must be generated using a good random number generator.
2. The random number generator used for external key generation must be subject to statistical testing.
Protection of Key Material
Protection of keys is critical to the security of the system in which the HSM operates. Recommendations for the protection of key material are as follows:
1. Keys must not be shared with untrusted parties. This is particularly important for the LMK.
2. Untrusted keys must not be loaded or used. This is particularly important for the LMK.
3. Unencrypted key material such as ZMK components must be distributed in a physically secure manner.
4. A trusted individual must be assigned responsibility for each and every unencrypted key component used in an HSM system.
5. Encryption of Key Material that is not subsequently subject to physical protection must be performed using an appropriately secure algorithm with a sufficiently large key length.
6. Encryption of Key Material that is not subsequently subject to physical protection must be performed using a physically secure key or one that is itself encrypted.
7. Procedures must exist such that in the event of key material compromise, keys are replaced as necessary.
8. Key components, whether plaintext or protected (e.g. LMK smart cards), must be held by separate authorised individuals.
Key Lifetime
All keys used within the system must be updated on a regular basis in a manner that is appropriate given:
1. Card scheme mandates or other requirements relevant to the application and environment in which the key is used.
2. The amount of data encrypted under the key.
3. The lifetime of the data that is encrypted under the key.
4. The sensitivity of data exposed and the financial risk if the key is compromised.
5. The function of the key (e.g. key encryption, data encryption, data authentication),
6. The probability of key exposure in environments external to the HSM.
Key Length
A suitable key length must be chosen, as appropriate given:
1. The function of the key (e.g. key encryption, data encryption, data authentication),
2. The amount of data encrypted under the key.
Key Material Usage
The following precautions should be taken:
1. Test key material must not be used in the production environment.
2. Keys must only be used for their defined purpose.