• Save
Encryptionvstokenisationforshare
Upcoming SlideShare
Loading in...5
×
 

Encryptionvstokenisationforshare

on

  • 699 views

 

Statistics

Views

Total Views
699
Views on SlideShare
695
Embed Views
4

Actions

Likes
0
Downloads
21
Comments
0

1 Embed 4

http://www.linkedin.com 4

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Encryptionvstokenisationforshare Encryptionvstokenisationforshare Presentation Transcript

    • Encryption vs TokenisationWitham Laboratories1/842 High StreetEast Kew 3102MelbourneAustraliaPh: +61 3 9846 2751 Witham LaboratoriesFax: +61 3 9857 0350Rambla de Catalunya38, 8 planta08007 BarcelonaSpainPh: +34 93 184 27 88Email: lab@withamlabs.comPCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Slide No. 1 Building Confidence in Payment Systems
    • Agenda • Protecting Cardholder Data • Cryptography and Tokenisation 101 • What’s the difference? • Format Preserving EncryptionWitham Laboratories1/842 High Street • P2PE and TRSM Standards 101East Kew 3102MelbourneAustraliaPh: +61 3 9846 2751 • Australian P2PE ImplementationsFax: +61 3 9857 0350Rambla de Catalunya38, 8 planta08007 Barcelona • PCI SSC P2PE Activity •SpainPh: +34 93 184 27 88Email: lab@withamlabs.com Auditing Encryption and TokenisationPCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Slide No. 2 Building Confidence in Payment Systems
    • Protecting Cardholder Data • PCI DSS scope = all systems which store/process/transmit card data • Render sensitive elements inaccessible – PAN, track data, online PIN block, CVV2 – Req. 3.4 (storage), 4.1 (transmission)Witham Laboratories • Prevents exposure of card data1/842 High StreetEast Kew 3102MelbourneAustralia – Comms / storage does not reveal card dataPh: +61 3 9846 2751Fax: +61 3 9857 0350Rambla de Catalunya38, 8 planta08007 BarcelonaSpain – Prevents line tapping / memory attacksPh: +34 93 184 27 88Email: lab@withamlabs.com • Encryption & tokenisation referencedPCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Slide No. 3 Building Confidence in Payment Systems
    • Cryptography 101 • Encryption is a keyed reversible function – Output ‘looks’ different to input data – Generally encrypts data in ‘blocks’ • Use standardised encryption algos – AES, TDES, ECC, RSAWitham Laboratories • Security is dependant on the ‘key’1/842 High StreetEast Kew 3102MelbourneAustralia – The key is just a ‘big’ numberPh: +61 3 9846 2751Fax: +61 3 9857 0350Rambla de Catalunya – Good key management is vital38, 8 planta08007 BarcelonaSpainPh: +34 93 184 27 88Email: lab@withamlabs.com • ‘Attack surface’ = key and use of keyPCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Slide No. 4 Building Confidence in Payment Systems
    • Tokenisation 101 • Replace PAN with a ‘reference number’ – Same format, ‘looks’ like card data • PAN not necessary after the transaction – Token can be used instead – Minimises access to card dataWitham Laboratories • Tokenisation system can ‘restore’ PAN1/842 High StreetEast Kew 3102MelbourneAustralia – Tokenisation is a reversible processPh: +61 3 9846 2751Fax: +61 3 9857 0350Rambla de Catalunya • How is this done?38, 8 planta08007 BarcelonaSpainPh: +34 93 184 27 88Email: lab@withamlabs.comPCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Slide No. 5 Building Confidence in Payment Systems
    • Tokenisation 101 • Lots of different tokenisation methods – Cryptography, look-up, proprietary – What are the pros / cons of each??? – Beware systems based on global secrets • Exploit one system, expose many • ‘Attack surface’ depends on:Witham Laboratories1/842 High StreetEast Kew 3102Melbourne – Method of tokenisation usedAustraliaPh: +61 3 9846 2751Fax: +61 3 9857 0350Rambla de Catalunya38, 8 planta08007 Barcelona – Systems involved in tokenisation methodSpainPh: +34 93 184 27 88Email: lab@withamlabs.com • Tokenisation and encryption sharePCI PTS PCI PIN PCI DSS PA-DSS some similarities … Witham Laboratories Slide No. 6 Building Confidence in Payment Systems
    • Encryption - Visualisation Encryption maps an value from the input domain to a value in the output domain 0 0 Encryption Algo Output domain Input domainWitham Laboratories1/842 High StreetEast Kew 3102MelbourneAustraliaPh: +61 3 9846 2751Fax: +61 3 9857 0350Rambla de Catalunya Key38, 8 planta08007 BarcelonaSpainPh: +34 93 184 27 88Email: lab@withamlabs.comPCI PTS PCI PIN PCI DSS PA-DSS 2(block size) 2(block size) Witham Laboratories Slide No. 7 Building Confidence in Payment Systems
    • Encryption - Visualisation Different input values have different output values, based on the value and the key 0 0 Encryption Algo Output domain Input domainWitham Laboratories1/842 High StreetEast Kew 3102MelbourneAustraliaPh: +61 3 9846 2751Fax: +61 3 9857 0350Rambla de Catalunya Key38, 8 planta08007 BarcelonaSpainPh: +34 93 184 27 88Email: lab@withamlabs.comPCI PTS PCI PIN PCI DSS PA-DSS 2(block size) 2(block size) Witham Laboratories Slide No. 8 Building Confidence in Payment Systems
    • Encryption - Visualisation Changing the key changes the output values for the same input values 0 0 Encryption Algo Output domain Input domainWitham Laboratories1/842 High StreetEast Kew 3102MelbourneAustraliaPh: +61 3 9846 2751Fax: +61 3 9857 0350Rambla de Catalunya Key 238, 8 planta08007 BarcelonaSpainPh: +34 93 184 27 88Email: lab@withamlabs.comPCI PTS PCI PIN PCI DSS PA-DSS 2(block size) 2(block size) Witham Laboratories Slide No. 9 Building Confidence in Payment Systems
    • Encryption - Visualisation The key, and the use of the key, define the attack surface – the algorithm is public 0 0 Encryption Algo Output domain Input domainWitham Laboratories1/842 High StreetEast Kew 3102MelbourneAustraliaPh: +61 3 9846 2751Fax: +61 3 9857 0350Rambla de Catalunya Key 238, 8 planta08007 BarcelonaSpainPh: +34 93 184 27 88Email: lab@withamlabs.comPCI PTS PCI PIN PCI DSS PA-DSS 2(block size) 2(block size) Witham Laboratories Slide No. 10 Building Confidence in Payment Systems
    • Tokenisation - Visualisation Tokenisation is similar –input values mapped to output values based on secret(s) Lowest PAN value Tokenisation Lowest PAN value System Output domain Input domainWitham Laboratories1/842 High StreetEast Kew 3102MelbourneAustraliaPh: +61 3 9846 2751Fax: +61 3 9857 0350Rambla de Catalunya ??38, 8 planta08007 Barcelona KeySpainPh: +34 93 184 27 88 DBEmail: lab@withamlabs.com ServerPCI PTS PCI PIN PCI DSS PA-DSS Highest PAN Value Highest PAN Value Witham Laboratories Slide No. 11 Building Confidence in Payment Systems
    • Tokenisation - Visualisation Here the attack surface is not as well defined – it may be a key, DB, server, or other Lowest PAN value Tokenisation Lowest PAN value System Output domain Input domainWitham Laboratories1/842 High StreetEast Kew 3102MelbourneAustraliaPh: +61 3 9846 2751Fax: +61 3 9857 0350Rambla de Catalunya ??38, 8 planta08007 Barcelona KeySpainPh: +34 93 184 27 88 DBEmail: lab@withamlabs.com ServerPCI PTS PCI PIN PCI DSS PA-DSS Highest PAN Value Highest PAN Value Witham Laboratories Slide No. 12 Building Confidence in Payment Systems
    • What’s the difference? • Similarities? – 1:1 reversible mapping of input ↔ output – Security dependant on secret(s) • Differences? For encryption: – Lots of study, security standards/productsWitham Laboratories1/842 High StreetEast Kew 3102Melbourne – Well known attack methods & mitigationsAustraliaPh: +61 3 9846 2751Fax: +61 3 9857 0350 – May not ‘play nice’ with existing systemsRambla de Catalunya38, 8 planta08007 BarcelonaSpain • Tokenisation: no standards, little studyPh: +34 93 184 27 88Email: lab@withamlabs.com – But compatible … Compromise?PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Slide No. 13 Building Confidence in Payment Systems
    • Format Preserving Encryption • ‘Normal’ encryption assumes all data is all unformatted binary data – Any formatting is ‘lost’ during encryption • Problem for format dependant systems – Eg databases, existing protocols, dataWitham Laboratories1/842 High StreetEast Kew 3102 capture devices (eg PINPads)Melbourne • Format preserving encryption (FPE) =AustraliaPh: +61 3 9846 2751Fax: +61 3 9857 0350Rambla de Catalunya38, 8 planta08007 Barcelona encryption without loss of formattingSpain • Combines encryption & tokenisationPh: +34 93 184 27 88Email: lab@withamlabs.comPCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Slide No. 14 Building Confidence in Payment Systems
    • FPE Common Features • Feistel cipher construction – Round function = AES, Triple DES • Systems may modify inputs for each round – Round fn. output trunc’d to FPE block size – Remap input/round fn. output as required • Encrypt with multiple Feistel roundsWitham Laboratories1/842 High StreetEast Kew 3102Melbourne – # rounds, re-mapping – depends on cipherAustraliaPh: +61 3 9846 2751Fax: +61 3 9857 0350Rambla de Catalunya38, 8 planta • These details can be important …08007 Barcelona – May only encrypt middle digits of a PANSpainPh: +34 93 184 27 88Email: lab@withamlabs.com • Ensures card type and luhn check still validPCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Slide No. 15 Building Confidence in Payment Systems
    • Feistel Cipher For any round ‘n’Witham Laboratories1/842 High StreetEast Kew 3102MelbourneAustraliaPh: +61 3 9846 2751Fax: +61 3 9857 0350Rambla de Catalunya38, 8 planta Repeat as necessary …08007 BarcelonaSpainPh: +34 93 184 27 88Email: lab@withamlabs.comPCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Slide No. 16 Building Confidence in Payment Systems
    • FPE Algorithm Example EG: Encrypt PAN Mod10 4123456789012349 addition • Keep first digit (card type) • Discard Luhn checkWitham Laboratories1/842 High Street Output PAN =East Kew 3102MelbourneAustralia 4748232137547657Ph: +61 3 9846 2751Fax: +61 3 9857 0350Rambla de Catalunya • Restore first digit38, 8 planta08007 BarcelonaSpainPh: +34 93 184 27 88 • Recalculate Luhn checkEmail: lab@withamlabs.comPCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Slide No. 17 Building Confidence in Payment Systems
    • Encryption Implementations • FPE most often used in (DB) servers – Provides ‘transparent’ encryption and used for tokenisation • FPE increasingly a feature in PINPad SW – Also in encrypting MSRs, credit terminalsWitham Laboratories1/842 High StreetEast Kew 3102 – Encrypt data without ‘breaking’ POS SWMelbourne • Encryption of comms for PCI DSSAustraliaPh: +61 3 9846 2751Fax: +61 3 9857 0350 – Called ‘Point to Point Encryption’ (P2PE)Rambla de Catalunya38, 8 planta08007 BarcelonaSpain – FPE not always used / requiredPh: +34 93 184 27 88Email: lab@withamlabs.comPCI PTS PCI PIN PCI DSS PA-DSS – What standards exist? Witham Laboratories Slide No. 18 Building Confidence in Payment Systems
    • P2PE Standards 101 • ISO 10894* – “Procedures for Message Encipherment” • ANSI X9.119* – “Protection of Sensitive Data between Device and Acquiring System”Witham Laboratories1/842 High StreetEast Kew 3102Melbourne • PCI SSC: PTS v3 ‘SRED’ & P2PE reqs*AustraliaPh: +61 3 9846 2751Fax: +61 3 9857 0350 • Localised/industry associations and SIGsRambla de Catalunya38, 8 planta08007 Barcelona • SPVA, ATMIA, PCI SIGs, Visa & MC, AS2805.9Spain • Secure HW (TRSM) is often requiredPh: +34 93 184 27 88Email: lab@withamlabs.comPCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Slide No. 19 Building Confidence in Payment Systems
    • TRSM Standards 101 • FIPS140-2: Four approval levels (1 – 4) – L1 generally for SW only – no HW security – L2 some tamper evident HW security – L3 provides some tamper response – L4 full security envelope (hardest level)Witham Laboratories1/842 High StreetEast Kew 3102Melbourne • PCI PTS (previously PCI PED)AustraliaPh: +61 3 9846 2751Fax: +61 3 9857 0350 – v1 & v2 = PIN security only, v3 has SREDRambla de Catalunya38, 8 planta08007 BarcelonaSpain • APCA PED covers PIN securityPh: +34 93 184 27 88Email: lab@withamlabs.com – From 2010 requires AS2805.9 keysPCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Slide No. 20 Building Confidence in Payment Systems
    • Australian EFTPOS Standard(s) • AS2805 = Aus. Standard for EFTPOS – Key management, encryption, message formats, payment processing – Each bank has their own ‘interpretation’ • AS2805.9 defines message encryptionWitham Laboratories1/842 High StreetEast Kew 3102 – AS2805.6.x defines key managementMelbourne – Unique per transaction (AS2805.6.2)AustraliaPh: +61 3 9846 2751Fax: +61 3 9857 0350Rambla de Catalunya38, 8 planta08007 Barcelona – Unique each day / 256 trans (AS2805.6.4)SpainPh: +34 93 184 27 88Email: lab@withamlabs.com – AS2805.6.5.3 for RSA key loadingPCI PTS PCI PIN PCI DSS PA-DSS • Watch your key lengths! Witham Laboratories Slide No. 21 Building Confidence in Payment Systems
    • AS2805.9 • Encryption of each EFTPOS message – Extract non-sensitive elements – Encrypt whole message with TDES OFB • Stream mode of TDES; XOR with key (not FPE) – Replace non-sensitive elements and send • Things to be aware of:Witham Laboratories1/842 High StreetEast Kew 3102Melbourne – OFB: same key = same key stream AustraliaPh: +61 3 9846 2751Fax: +61 3 9857 0350Rambla de Catalunya38, 8 planta08007 Barcelona – Same key stream on different transactions allows for recovery of transmitted dataSpainPh: +34 93 184 27 88Email: lab@withamlabs.comPCI PTS PCI PIN PCI DSS PA-DSS – AS2805.6.4 keeps same key for many trans Witham Laboratories Slide No. 22 Building Confidence in Payment Systems
    • PCI SSC P2PE Activity • Released ‘Initial Roadmap: P2PE Technology and PCI DSS Compliance’ – Referenced SRED standard for devices – Discussed release of audit reqs in 2011 – Development is ongoing (under NDA)Witham Laboratories1/842 High StreetEast Kew 3102Melbourne • What can I talk about?AustraliaPh: +61 3 9846 2751Fax: +61 3 9857 0350 – SRED is designed for securing card data – PCI PIN reqs cover key managementRambla de Catalunya38, 8 planta08007 BarcelonaSpain – 2011 will be an interesting year …Ph: +34 93 184 27 88Email: lab@withamlabs.comPCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Slide No. 23 Building Confidence in Payment Systems
    • What is SRED? • SRED stands for “Secure Reading and Exchange of Data” – “Data” refers to Card Holder Data • A module of the PCI PTS v3.0 standard – PTS = PIN Transaction SecurityWitham Laboratories • Applies to devices that provide1/842 High StreetEast Kew 3102MelbourneAustraliaPh: +61 3 9846 2751Fax: +61 3 9857 0350 “account data protection” functionalityRambla de Catalunya38, 8 planta08007 BarcelonaSpain – Encryption at Point Of Interaction (POI)Ph: +34 93 184 27 88Email: lab@withamlabs.com • Expect to hear more about SRED soonPCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 24
    • SRED Device Block DiagramWitham Laboratories1/842 High StreetEast Kew 3102MelbourneAustraliaPh: +61 3 9846 2751Fax: +61 3 9857 0350Rambla de Catalunya38, 8 planta08007 BarcelonaSpainPh: +34 93 184 27 88Email: lab@withamlabs.comPCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 25
    • Audit of Encryption Solutions • What encryption algo & modes? – Beware anything not AES, TDES, ECC, RSA – Key management – who and how? • Dual control and split knowledge • Unique keys per device/useWitham Laboratories1/842 High Street • Key sizes and IVs for stream cipher modesEast Kew 3102MelbourneAustraliaPh: +61 3 9846 2751 • Encryption in TRSM? What standard?Fax: +61 3 9857 0350Rambla de Catalunya38, 8 planta – Are you sure?? HW, FW, App, context08007 BarcelonaSpainPh: +34 93 184 27 88 • Where is plaintext card data accessible?Email: lab@withamlabs.comPCI PTS PCI PIN PCI DSS PA-DSS – All possible inputs / outputs? Whitelists? Witham Laboratories Slide No. 26 Building Confidence in Payment Systems
    • Tokenisation Auditing • How is the tokenisation performed? – (Non) Random? Encryption? Details! – What is the attack surface of this method? • Key, algorithm, DB, system, network, etc • Does one exploit result in multiple exposures?Witham Laboratories1/842 High StreetEast Kew 3102 • Security of tokenisation systemMelbourneAustraliaPh: +61 3 9846 2751Fax: +61 3 9857 0350 – At least as per PCI DSS reqs 1.x and 2.xRambla de Catalunya38, 8 planta08007 Barcelona • FPE methods used for tokenisation?SpainPh: +34 93 184 27 88Email: lab@withamlabs.com – Refer encryption reqs. Ask for details!PCI PTS PCI PIN PCI DSS PA-DSS – Ask for evidence of peer review output Witham Laboratories Slide No. 27 Building Confidence in Payment Systems
    • Questions?Witham Laboratories1/842 High Street For further information please contactEast Kew 3102MelbourneAustralia Andrew JamiesonPh: +61 3 9846 2751Fax: +61 3 9857 0350 Technical ManagerRambla de Catalunya38, 8 planta08007 Barcelona Witham LaboratoriesSpainPh: +34 93 184 27 88Email: lab@withamlabs.com Email: andrew.jamieson@withamlabs.comPCI PTS PCI PIN PCI DSS PA-DSS Phone: +61 3 9846 2751 Witham Laboratories Slide No. 28 Building Confidence in Payment Systems