The document is a slide presentation on the topics of encryption and tokenization. It provides information on the differences between encryption and tokenization, including how they both map input values to output values based on secrets but encryption uses a reversible encryption algorithm while tokenization may use various methods. It also discusses format preserving encryption and related standards for point-to-point encryption and secure hardware tokens.
Crytography is Closely related to the disciplines of Cryptology and Cryptanalysis.
Cryptography includes techniques such as microdots, merging words with images,
and other ways to hide information in storage or transit.
However, in today's computer-centric world,
Cryptography is most often associated with scrambling plaintext
into Cipher text (a process called Encryption), then back again (known as decryption).
Individuals who practice this field are known as crytographers
At the Kings of Code conference in Amsterdam in May 2008 I presented an updated version of my High Performance Web Sites talk that I first offered at @media in London in 2007. Thanks to the Performance Engineers at Yahoo! for the research!
Encryption and Tokenization: Friend or Foe?Zach Gardner
As one of the industry’s leading experts on both encryption and tokenization, Gary Palgon, CISSP, revisits this intriguing topic and addresses the effect of current issues on these technologies. For the full webinar please visit: http://liaison.com/resource-center/webinars?commid=79123
Crytography is Closely related to the disciplines of Cryptology and Cryptanalysis.
Cryptography includes techniques such as microdots, merging words with images,
and other ways to hide information in storage or transit.
However, in today's computer-centric world,
Cryptography is most often associated with scrambling plaintext
into Cipher text (a process called Encryption), then back again (known as decryption).
Individuals who practice this field are known as crytographers
At the Kings of Code conference in Amsterdam in May 2008 I presented an updated version of my High Performance Web Sites talk that I first offered at @media in London in 2007. Thanks to the Performance Engineers at Yahoo! for the research!
Encryption and Tokenization: Friend or Foe?Zach Gardner
As one of the industry’s leading experts on both encryption and tokenization, Gary Palgon, CISSP, revisits this intriguing topic and addresses the effect of current issues on these technologies. For the full webinar please visit: http://liaison.com/resource-center/webinars?commid=79123
Wearable Wristband for Workplace Safety during Covid-19 PandemicSaibal Bishnu
Powered by AI and IoT launching wearable wristband for Workplace Safety during Covid-19 pandemic, to help businesses operate safely, even after Lockdown.
For periodic pH measurements or redox measurements, this mobile pH meter is the ideal choice. It combines great durability and intuitive, one-handed operation with the high measurement confidence and diagnostics you expect from METTLER TOLEDO.
Demo request dan pemesanan produk, hubungi PT. Siwali Swantika. Jakarta : 021-45850618. Kunjungi website kami di www.siwali,com, untuk produk spesifikasi dan varian lainnya solusi dari pengukuran kabel network tester hingga network monitoring.
LPCE-3 is a CCD Spectroradiometer Integrating Sphere Compact System for LED Testing. It is suitable for photometric and colorimetric measurement of luminaries such as LEDs, LED luminaires, Energy-saving lamps, Fluorescent lamps, HID lamps (high voltage sodium lamps and high voltage mercury lamps) and CCFL. The measured data meets the requirements of CIE, EN and LM-79 clause 9.1 for the measurement of photometry and colorimetry.
6PM has focused on 4 key factors to provide solutions in Data Centre Optimization.
Virtualization
Over the years virtualization has been proven to be a game changer to the IT world. Its benefits extend beyond merely improving the efficiency and usage ratio for central servers and storage systems. Provisioning, backup, replication and recovery time has drastically improved. At 6PM we use industry leading technologies to virtualize servers, applications and desktops.
Cloud Computing
The recent advent of cloud computing has greatly freed up personnel resources and infrastructure for more business critical work and projects by offloading a lot of previously time consuming day to day work of hosting their own systems. Cloud services are scalable and easier to provision. At 6PM we offer a range of private/public cloud solutions.
Power Use
New form factors principally blade servers and converged infrastructures are optimized to minimize the use of physical space and energy. To help our equipment function optimally while continuing to save energy we manage the temperature and airflow in our data centres and machines in simple, cost-effective ways.
Storage and Networking
At 6PM our team of experts makes sure to make the best use of network bandwidth and storage capacity available. This greatly reduces the costs associated with acquiring expensive disks and network equipment.
Ponència a càrrec d'Àlex Caballero, d'Atos, presentada a la 19a edició de la Trobada de l'Anella Científica (TAC) al Tecnocampus Mataró-Maresme el 30 de juny de 2015.
En aquesta presentació s'ha mostrat la descripció i funcionament de la plataforma al núvol Helix Nebula.
Full color brochure on programmable logic controllers PLC with HMI embedded in an OPLC, with software included. A guide arm pair selection and purchase the most appropriate architecture for your control and industrial automation projects.
Folleto a todo color en controladores lógicos programables PLC con HMI integrado en un OPLC , con software incluido. Una guia de selección y compra de la arquitectura más adecuada para su proyecto de control y automatización industrial.
The best way to efficient maintaining and securing your business operation is through monitoring.
Constantly checking your essential equipment is always been ways to prevent failure and unexpected break down however due to fast changing society manual monitoring is already out of league.
Linkwise developed it’s solution for this dilemma, in order to make an efficient, cost-effective and reliable monitoring system that is capable to send a critical alarm via SMS text message and Email.
For more information Visit: https://linkwisetech.com/
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
Wearable Wristband for Workplace Safety during Covid-19 PandemicSaibal Bishnu
Powered by AI and IoT launching wearable wristband for Workplace Safety during Covid-19 pandemic, to help businesses operate safely, even after Lockdown.
For periodic pH measurements or redox measurements, this mobile pH meter is the ideal choice. It combines great durability and intuitive, one-handed operation with the high measurement confidence and diagnostics you expect from METTLER TOLEDO.
Demo request dan pemesanan produk, hubungi PT. Siwali Swantika. Jakarta : 021-45850618. Kunjungi website kami di www.siwali,com, untuk produk spesifikasi dan varian lainnya solusi dari pengukuran kabel network tester hingga network monitoring.
LPCE-3 is a CCD Spectroradiometer Integrating Sphere Compact System for LED Testing. It is suitable for photometric and colorimetric measurement of luminaries such as LEDs, LED luminaires, Energy-saving lamps, Fluorescent lamps, HID lamps (high voltage sodium lamps and high voltage mercury lamps) and CCFL. The measured data meets the requirements of CIE, EN and LM-79 clause 9.1 for the measurement of photometry and colorimetry.
6PM has focused on 4 key factors to provide solutions in Data Centre Optimization.
Virtualization
Over the years virtualization has been proven to be a game changer to the IT world. Its benefits extend beyond merely improving the efficiency and usage ratio for central servers and storage systems. Provisioning, backup, replication and recovery time has drastically improved. At 6PM we use industry leading technologies to virtualize servers, applications and desktops.
Cloud Computing
The recent advent of cloud computing has greatly freed up personnel resources and infrastructure for more business critical work and projects by offloading a lot of previously time consuming day to day work of hosting their own systems. Cloud services are scalable and easier to provision. At 6PM we offer a range of private/public cloud solutions.
Power Use
New form factors principally blade servers and converged infrastructures are optimized to minimize the use of physical space and energy. To help our equipment function optimally while continuing to save energy we manage the temperature and airflow in our data centres and machines in simple, cost-effective ways.
Storage and Networking
At 6PM our team of experts makes sure to make the best use of network bandwidth and storage capacity available. This greatly reduces the costs associated with acquiring expensive disks and network equipment.
Ponència a càrrec d'Àlex Caballero, d'Atos, presentada a la 19a edició de la Trobada de l'Anella Científica (TAC) al Tecnocampus Mataró-Maresme el 30 de juny de 2015.
En aquesta presentació s'ha mostrat la descripció i funcionament de la plataforma al núvol Helix Nebula.
Full color brochure on programmable logic controllers PLC with HMI embedded in an OPLC, with software included. A guide arm pair selection and purchase the most appropriate architecture for your control and industrial automation projects.
Folleto a todo color en controladores lógicos programables PLC con HMI integrado en un OPLC , con software incluido. Una guia de selección y compra de la arquitectura más adecuada para su proyecto de control y automatización industrial.
The best way to efficient maintaining and securing your business operation is through monitoring.
Constantly checking your essential equipment is always been ways to prevent failure and unexpected break down however due to fast changing society manual monitoring is already out of league.
Linkwise developed it’s solution for this dilemma, in order to make an efficient, cost-effective and reliable monitoring system that is capable to send a critical alarm via SMS text message and Email.
For more information Visit: https://linkwisetech.com/
Similar to Encryption vs tokenisation (for share) (20)
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
UiPath Test Automation using UiPath Test Suite series, part 5DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 5. In this session, we will cover CI/CD with devops.
Topics covered:
CI/CD with in UiPath
End-to-end overview of CI/CD pipeline with Azure devops
Speaker:
Lyndsey Byblow, Test Suite Sales Engineer @ UiPath, Inc.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
How to Get CNIC Information System with Paksim Ga.pptxdanishmna97
Pakdata Cf is a groundbreaking system designed to streamline and facilitate access to CNIC information. This innovative platform leverages advanced technology to provide users with efficient and secure access to their CNIC details.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
GridMate - End to end testing is a critical piece to ensure quality and avoid...ThomasParaiso2
End to end testing is a critical piece to ensure quality and avoid regressions. In this session, we share our journey building an E2E testing pipeline for GridMate components (LWC and Aura) using Cypress, JSForce, FakerJS…
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
Encryption vs tokenisation (for share)
1. Encryption vs Tokenisation Witham Laboratories Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 1
2. Agenda Protecting Cardholder Data Cryptography and Tokenisation 101 What’s the difference? Format Preserving Encryption P2PE and TRSM Standards 101 Australian P2PE Implementations PCI SSC P2PE Activity Auditing Encryption and Tokenisation Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 2
3. Protecting Cardholder Data PCI DSS scope = all systems which store/process/transmit card data Render sensitive elements inaccessible PAN, track data, online PIN block, CVV2 Req. 3.4 (storage), 4.1 (transmission) Prevents exposure of card data Comms / storage does not reveal card data Prevents line tapping / memory attacks Encryption & tokenisation referenced Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 3
4. Cryptography 101 Encryption is a keyed reversible function Output ‘looks’ different to input data Generally encrypts data in ‘blocks’ Use standardised encryption algos AES, TDES, ECC, RSA Security is dependant on the ‘key’ The key is just a ‘big’ number Good key management is vital ‘Attack surface’ = key and use of key Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 4
5. Tokenisation 101 Replace PAN with a ‘reference number’ Same format, ‘looks’ like card data PAN not necessary after the transaction Token can be used instead Minimises access to card data Tokenisation system can ‘restore’ PAN Tokenisation is a reversible process How is this done? Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 5
6. Tokenisation 101 Lots of different tokenisation methods Cryptography, look-up, proprietary What are the pros / cons of each??? Beware systems based on global secrets Exploit one system, expose many ‘Attack surface’ depends on: Method of tokenisation used Systems involved in tokenisation method Tokenisation and encryption share some similarities … Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 6
7. Encryption - Visualisation Encryption maps an value from the input domain to a value in the output domain 0 0 Encryption Algo Input domain Output domain Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Key 2(block size) 2(block size) Witham Laboratories Building Confidence in Payment Systems Slide No. 7
8. Encryption - Visualisation Different input values have different output values, based on the value and the key 0 0 Encryption Algo Input domain Output domain Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Key 2(block size) 2(block size) Witham Laboratories Building Confidence in Payment Systems Slide No. 8
9. Encryption - Visualisation Changing the key changes the output values for the same input values 0 0 Encryption Algo Input domain Output domain Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Key 2 2(block size) 2(block size) Witham Laboratories Building Confidence in Payment Systems Slide No. 9
10. Encryption - Visualisation The key, and the use of the key, define the attack surface – the algorithm is public 0 0 Encryption Algo Input domain Output domain Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Key 2 2(block size) 2(block size) Witham Laboratories Building Confidence in Payment Systems Slide No. 10
11. Tokenisation - Visualisation Tokenisation is similar –input values mapped to output values based on secret(s) Lowest PAN value Lowest PAN value Tokenisation System Input domain Output domain Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS ??Key DB Server Highest PAN Value Highest PAN Value Witham Laboratories Building Confidence in Payment Systems Slide No. 11
12. Tokenisation - Visualisation Here the attack surface is not as well defined – it may be a key, DB, server, or other Lowest PAN value Lowest PAN value Tokenisation System Input domain Output domain Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS ??Key DB Server Highest PAN Value Highest PAN Value Witham Laboratories Building Confidence in Payment Systems Slide No. 12
13. What’s the difference? Similarities? 1:1 reversible mapping of input ↔ output Security dependant on secret(s) Differences? For encryption: Lots of study, security standards/products Well known attack methods & mitigations May not ‘play nice’ with existing systems Tokenisation: no standards, little study But compatible … Compromise? Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 13
14. Format Preserving Encryption ‘Normal’ encryption assumes all data is all unformatted binary data Any formatting is ‘lost’ during encryption Problem for format dependant systems Eg databases, existing protocols, data capture devices (eg PINPads) Format preserving encryption (FPE) = encryption without loss of formatting Combines encryption & tokenisation Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 14
15. FPE Common Features Feistel cipher construction Round function = AES, Triple DES Systems may modify inputs for each round Round fn. output trunc’d to FPE block size Remap input/round fn. output as required Encrypt with multiple Feistel rounds # rounds, re-mapping – depends on cipher These details can be important … May only encrypt middle digits of a PAN Ensures card type and luhn check still valid Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 15
16. Feistel Cipher For any round ‘n’ Repeat as necessary … Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 16
17.
18.
19. Recalculate Luhn checkWitham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 17
20. Encryption Implementations FPE most often used in (DB) servers Provides ‘transparent’ encryption and used for tokenisation FPE increasingly a feature in PINPad SW Also in encrypting MSRs, credit terminals Encrypt data without ‘breaking’ POS SW Encryption of comms for PCI DSS Called ‘Point to Point Encryption’ (P2PE) FPE not always used / required What standards exist? Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 18
21. P2PE Standards 101 ISO 10894* “Procedures for Message Encipherment” ANSI X9.119* “Protection of Sensitive Data between Device and Acquiring System” PCI SSC: PTS v3 ‘SRED’ & P2PE reqs* Localised/industry associations and SIGs SPVA, ATMIA, PCI SIGs, Visa & MC, AS2805.9 Secure HW (TRSM) is often required Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 19
22. TRSM Standards 101 FIPS140-2: Four approval levels (1 – 4) L1 generally for SW only – no HW security L2 some tamper evident HW security L3 provides some tamper response L4 full security envelope (hardest level) PCI PTS (previously PCI PED) v1 & v2 = PIN security only, v3 has SRED APCA PED covers PIN security From 2010 requires AS2805.9 keys Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 20
23. Australian EFTPOS Standard(s) AS2805 = Aus. Standard for EFTPOS Key management, encryption, message formats, payment processing Each bank has their own ‘interpretation’ AS2805.9 defines message encryption AS2805.6.x defines key management Unique per transaction (AS2805.6.2) Unique each day / 256 trans (AS2805.6.4) AS2805.6.5.3 for RSA key loading Watch your key lengths! Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 21
24. AS2805.9 Encryption of each EFTPOS message Extract non-sensitive elements Encrypt whole message with TDES OFB Stream mode of TDES; XOR with key (not FPE) Replace non-sensitive elements and send Things to be aware of: OFB: same key = same key stream Same key stream on different transactions allows for recovery of transmitted data AS2805.6.4 keeps same key for many trans Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 22
25. PCI SSC P2PE Activity Released ‘Initial Roadmap: P2PE Technology and PCI DSS Compliance’ Referenced SRED standard for devices Discussed release of audit reqs in 2011 Development is ongoing (under NDA) What can I talk about? SRED is designed for securing card data PCI PIN reqs cover key management 2011 will be an interesting year … Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 23
26. What is SRED? SRED stands for “Secure Reading and Exchange of Data” “Data” refers to Card Holder Data A module of the PCI PTS v3.0 standard PTS = PIN Transaction Security Applies to devices that provide “account data protection” functionality Encryption at Point Of Interaction (POI) Expect to hear more about SRED soon Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Slide No. 24 Witham Laboratories Building Confidence in Payment Systems
27. SRED Device Block Diagram Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Slide No. 25 Witham Laboratories Building Confidence in Payment Systems
28. Audit of Encryption Solutions What encryption algo & modes? Beware anything not AES, TDES, ECC, RSA Key management – who and how? Dual control and split knowledge Unique keys per device/use Key sizes and IVs for stream cipher modes Encryption in TRSM? What standard? Are you sure?? HW, FW, App, context Where is plaintext card data accessible? All possible inputs / outputs? Whitelists? Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 26
29. Tokenisation Auditing How is the tokenisation performed? (Non) Random? Encryption? Details! What is the attack surface of this method? Key, algorithm, DB, system, network, etc Does one exploit result in multiple exposures? Security of tokenisation system At least as per PCI DSS reqs 1.x and 2.x FPE methods used for tokenisation? Refer encryption reqs. Ask for details! Ask for evidence of peer review output Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 27
30. Questions? For further information please contact Andrew Jamieson Technical Manager Witham Laboratories Email: andrew.jamieson@withamlabs.com Phone: +61 3 9846 2751 Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 28