PIN Security Requirements:
8-1 Keys must be transferred either encrypted, as two or more full-length clear-text components, key shares, or within an SCD.
Clear-text key components/shares must be conveyed in SCDs or using tamper- evident, authenticable packaging.
- Where key components are transmitted in clear-text using prenumbered, tamper-evident, authenticable mailers:
- Components/shares must be conveyed using at least two separate communication channels, such as different courier services. Components/shares sufficient to form the key must not be conveyed using the same communication channel.
- Details of the serial number of the package are conveyed separately from the package itself.
- Documented procedures exist and are followed to require that the serial numbers be verified prior to the usage of the keying material
- Where SCDs are used for conveying components/shares, the mechanisms or data (e.g., PIN) to obtain the key component/share from the SCD must be conveyed using a separate communication from the SCD channel, or it must be conveyed in the same manner as a paper component. SCDs must be inspected for signs of tampering.
- Where an SCD (i.e., HSM or KLD) is conveyed with pre-loaded secret and/or private keys, the SCD must require dual-control mechanisms to become operational. Those mechanisms must not be conveyed using the same communication channel as the SCD. SCDs must be inspected for signs of tampering.
Note: Components/shares of encryption keys must be conveyed using different communication channels, such as different courier services. It is not sufficient to send key components/shares for a specific key on different days using the same communication channel.
Testing Procedures:
8-1.a Determine whether keys are transmitted encrypted, as clear-text components/shares, or within an SCD.
8-1.b If key components are transmitted in clear text using pre-numbered, tamperevident, authenticable packaging, perform the following:
- Examine documented procedures for sending components in tamper- evident, authenticable packaging to verify that:
- They define how the details of the package serial number are to be transmitted.
- There is a requirement that the package serial number is to be sent separately from the package itself.
- Each component is to be sent to/from only the custodian(s) authorized for the component.
- At least two communication channels are used to send the components of a given key (not just separation by sending on different days).
- Prior to the use of the components, the serial numbers are to be confirmed.
- Confirm through observation, interview, and inspection of the records of past key transfers that the process used to transport clear-text key components using prenumbered, tamper-evident, authenticable packaging, is sufficient to ensure:
- The package serial number was transmitted as prescribed.
- The details of the serial number of the package were transmitted separately from the package itself.
- At least two communication channels were used to send the components of a given key (not just separation by sending on different days).
- Each component was sent to/from only the custodian(s) authorized for the component
- Prior to the use of the component, the serial number was confirmed.
8-1.c Where SCDs are used to convey components/shares:
- Examine documented procedures to verify that the mechanism to obtain the keying material (e.g., PIN) is conveyed using separate communication channel from the associated SCD.
- Examine documented procedures to verify that each SCD is inspected to ensure that there are not any signs of tampering.
- Examine the chain-of-custody document for the SCDs and any transport logs to ensure the movement of each device is tracked and that there is evidence that the SCDs and dual-control mechanisms were separated sufficiently to ensure that no one person gained access to the SCDs and both SCD enablers.
8-1.d Where an SCD is conveyed with pre-loaded secret and/or private keys, perform the following:
- Examine documented procedures to verify that the SCD requires dual-control mechanisms to become operational.
- Examine the documented procedures to ensure the method of shipment of the SCD and dual-control mechanisms (e.g., smart cards or passphrases) are separated in a way that ensures there is no opportunity for one person to gain access to the SCD and both authorization mechanisms (e.g., both smartcards, etc.).
- Examine documented procedures to verify that the SCD is inspected to ensure there are no signs of tampering.
- Examine records of key transfers and interview responsible personnel to verify the mechanisms that make the SCD operational are conveyed using separate communication channels.
