PCI Requirement 3.6.6 – Using Split Knowledge & Dual Control

by Randy Bartels / July 28th, 2017

PCI Requirement 3.6.6 is one requirement that both assessors and clients struggle to understand. PCI Requirement 3.6.6 states, “If manual clear-text cryptographic key-management operations are used, these operations must be managed using split knowledge and dual control.”

What is split knowledge?

The PCI DSS explains split knowledge as, “Split knowledge is a method in which two or more people separately have key components, where each person knows only their own key component, and the individual key components convey no knowledge of the original cryptographic key.”

What is dual control?

The PCI DSS defines dual control as, “Dual control requires two or more people to perform a function, and no single person can access or use the authentication materials of another.”

Why use both?

Although PCI Requirement 3.6.6 confuses many assessors and clients, both split knowledge and dual control must be used to comply with this requirement. The PCI DSS explains, “Split knowledge and dual control of keys are used to eliminate the possibility of one person having access to the whole key. This control is applicable for manual key-management operations, or where key management is not implemented by the encryption product.”

If you’re using a clear text key management program in order to create your encryption keys, it’s required that you use split knowledge and dual control. This is one requirement that many assessors have gotten wrong for many years, including myself. This is one requirement that we see a lot of clients struggle to understand. Taking an encryption key and splitting it in half (giving half to one person and half to another), is not split knowledge and dual control. It might be dual control, but it’s not split knowledge. When we look at the definition of split knowledge and dual control, dual control means that it takes more than one individual to create this key rotation ceremony. When we look at split knowledge, it says that when we create the key, no one individual has any knowledge of the resulting key. Where you take these two key halves and one person gets one half and another person gets the other half, that one individual only knows what their half of that key is.

If you are developing or using a clear text key management program, what we recommend that you do is have some XOR process. You have Key Custodian A and Key Custodian B that has, if you’re going to create an 128 bit key, each individual has 128 bits of a key seed. Those two individuals come together and input their key into their application or their key seed into the application. The application then goes through a process of XOR those two values together, then outputs the encryption key that nobody knows. If this is a struggle for you or you need a better understanding of what clear text management program looks like, give me a call or talk to your assessor – they’ll be more than happy to help you understand what a clear text management program really looks like.