We need a key management system to meet PCI DSS (Payment Card Industry Data Security Standards) requirements. We would prefer leveraging an existing open source project that either meets or can be modified to meet our requirements (e.g. StrongKey - [login to view URL], keepassx - [login to view URL], others - [login to view URL], [login to view URL]).
We use symmetric keys and want key generation and machine-to-machine communication of keys so that personnel are not exposed to keys.
Development of the requirements from scratch is not encouraged.
The ideal system would run on a Linux server. We do not require a specific language but prefer JAVA first, then C++.
This system would need to do the following:
1) Generate secure keys on demand for AES (currently 256-bit) encryption that meet the standards of the PCI DSS
2) Store keys securely with encryption and password protection at least as strong as AES 256-bit encryption
3) Transmit those keys via a secure connection (ie. SSL or HTTPS) to specified servers that would actually do the encrypting of files. This transmission would be on-demand, although we would eventually create a scheduler to distribute keys on a periodic basis.
4) Transmit keys via a secure connection to specified servers used to decrypt files
5) Maintain a record of keys so that we can track keys by date and a 3-character code used to identify encryption algorithm or other data needed to decrypt files successfully. In our scheme, keys would be distributed throughout the company based on either periodic key retirement dates or whenever the key was suspected of being compromised. Each file would be tagged with the date of the key used for encryption (and a code for future use that would further identify the key and possibly algorithm or other encryption details.) Our decryption routine would choose which key to use based on the date and code associated with the key.
6) (this is possibly optional right now) Generate an encrypted XML file that serves as the configuration file for our server applications. The XML file would include the encryption key.
7) Maintain user profiles consistent with PCI standards.
8) Automatically create an encrypted backup file stored in a configurable location. The objective is to ensure that the keys are backed up easily and can be recovered by the application when needed.
Background: We create many files for our customers that are stored over long periods of time. These files are created on servers that are usually located at the customers
Deliverables must include source code, documentation and requirements for installation and configuration.
To bid, please list any experience you have with key management and a description of the existing libraries - if any - you will use.
I have around 6 years of experience in writing code for key generation/encryption/decryption/digital gignatures/SAML etc... in C++ and java. Please check PMB.