The document summarizes security best practices presented in a tech talk at Stanford ACM. It discusses TrialPay's service overview, basics of securing data and systems, implementing two-factor authentication for VPN and SSH access, and best practices for securing credit card data in a vault. The presentation covers password security, encrypting sensitive data, access controls, backups, and other techniques for protecting online systems and user information.
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCloudIDSummit
John Bradley, Ping Identity
Overview of the different participant rolls in OpenID Connect, how JSON Web Tokens (JWT) are used, how OpenID Connect provides both authentication and authorization tokens in a single flow, and how OpenID Connect can support Single Sign on for Native Applications.
CEOS WGISS 36 - Frascati, Italy - 2013.09.19
Single Sign On with OAuth and OpenID used for Kalideos project and to be used within the French Land Surface Thematic Center
David Waite, Technical Architect, Ping Identity
We will take the federation protocols of SAML, OpenID, WS-Federation and OpenID Connect and attempt to break them down into common concerns. We will then examine the different approaches taken to address these concerns, the rationale and the trade-offs which resulted.
Как да контролираме достъпа до web API и други защитени ресурси посредством OAuth 2.0, и как да идентифицираме потребители с OpenID Connect. Лекцията е предназначена за уеб архитекти и програмисти, както и за всички разработчици, които искат да научат повече за новите уеб протоколи за авторизация и автентикация.
CIS14: Consolidating Authorization for API and Web SSO using OpenID ConnectCloudIDSummit
John Bradley, Ping Identity
Overview of the different participant rolls in OpenID Connect, how JSON Web Tokens (JWT) are used, how OpenID Connect provides both authentication and authorization tokens in a single flow, and how OpenID Connect can support Single Sign on for Native Applications.
CEOS WGISS 36 - Frascati, Italy - 2013.09.19
Single Sign On with OAuth and OpenID used for Kalideos project and to be used within the French Land Surface Thematic Center
David Waite, Technical Architect, Ping Identity
We will take the federation protocols of SAML, OpenID, WS-Federation and OpenID Connect and attempt to break them down into common concerns. We will then examine the different approaches taken to address these concerns, the rationale and the trade-offs which resulted.
Как да контролираме достъпа до web API и други защитени ресурси посредством OAuth 2.0, и как да идентифицираме потребители с OpenID Connect. Лекцията е предназначена за уеб архитекти и програмисти, както и за всички разработчици, които искат да научат повече за новите уеб протоколи за авторизация и автентикация.
Introduction to Public Key InfrastructureTheo Gravity
Adonis Fung and I worked on a project where we defined and built PKI (Public Key Infrastructure) for our local development and deployed environments. I gave a talk to our engineers on how PKI works, covering encryption, signing, trust stores, and how the HTTPS handshake works.
Apache Milagro Presentation at ApacheCon Europe 2016Brian Spector
Apache Milagro (incubating) establishes a new internet security framework purpose-built for cloud-connected app-centric software and IoT devices that require Internet scale. Milagro's purpose is to provide a secure, free, and positive open source alternative to centralised and proprietary monolithic trust providers such as commercial certificate authorities and the certificate backed cryptosystems that rely on them.
Milagro is an open source, pairing-based cryptographic platform that delivers solutions for device and end user authentication, secure communications and fintech / blockchain security; issues challenging Cloud Providers and their customers. It does this without the need for certificate authorities, putting into place a new category of service providers called Distributed Trust Authorities (D-TA®).
Milagro's M-Pin® protocol, and its existing open-source MIRACL® implementation on which MILAGRO is built, is already in use by Experian, NTT, Ingram Micro, and Gov.UK and rolled out to perform at Internet scale for Zero Password® multi-factor authentication and certificate-less HTTPS / secure channel.
A presentation explaining the concepts of public key infrastructure. It covers topics like Public Key Infrastructure (PKI) introduction, Digital Certificate, Trust Services, Digital Signature Certificate, TLS Certificate, Code Signing Certificate, Time Stamping, Email Encryption Certificate
Security+ Guide to Network Security Fundamentals, 3rd Edition, by Mark Ciampa
Knowledge and skills required for Network Administrators and Information Technology professionals to be aware of security vulnerabilities, to implement security measures, to analyze an existing network environment in consideration of known security threats or risks, to defend against attacks or viruses, and to ensure data privacy and integrity. Terminology and procedures for implementation and configuration of security, including access control, authorization, encryption, packet filters, firewalls, and Virtual Private Networks (VPNs).
CNIT 120: Network Security
http://samsclass.info/120/120_S09.shtml#lecture
Policy: http://samsclass.info/policy_use.htm
Many thanks to Sam Bowne for allowing to publish these presentations.
Introduction to Public Key InfrastructureTheo Gravity
Adonis Fung and I worked on a project where we defined and built PKI (Public Key Infrastructure) for our local development and deployed environments. I gave a talk to our engineers on how PKI works, covering encryption, signing, trust stores, and how the HTTPS handshake works.
Apache Milagro Presentation at ApacheCon Europe 2016Brian Spector
Apache Milagro (incubating) establishes a new internet security framework purpose-built for cloud-connected app-centric software and IoT devices that require Internet scale. Milagro's purpose is to provide a secure, free, and positive open source alternative to centralised and proprietary monolithic trust providers such as commercial certificate authorities and the certificate backed cryptosystems that rely on them.
Milagro is an open source, pairing-based cryptographic platform that delivers solutions for device and end user authentication, secure communications and fintech / blockchain security; issues challenging Cloud Providers and their customers. It does this without the need for certificate authorities, putting into place a new category of service providers called Distributed Trust Authorities (D-TA®).
Milagro's M-Pin® protocol, and its existing open-source MIRACL® implementation on which MILAGRO is built, is already in use by Experian, NTT, Ingram Micro, and Gov.UK and rolled out to perform at Internet scale for Zero Password® multi-factor authentication and certificate-less HTTPS / secure channel.
A presentation explaining the concepts of public key infrastructure. It covers topics like Public Key Infrastructure (PKI) introduction, Digital Certificate, Trust Services, Digital Signature Certificate, TLS Certificate, Code Signing Certificate, Time Stamping, Email Encryption Certificate
Security+ Guide to Network Security Fundamentals, 3rd Edition, by Mark Ciampa
Knowledge and skills required for Network Administrators and Information Technology professionals to be aware of security vulnerabilities, to implement security measures, to analyze an existing network environment in consideration of known security threats or risks, to defend against attacks or viruses, and to ensure data privacy and integrity. Terminology and procedures for implementation and configuration of security, including access control, authorization, encryption, packet filters, firewalls, and Virtual Private Networks (VPNs).
CNIT 120: Network Security
http://samsclass.info/120/120_S09.shtml#lecture
Policy: http://samsclass.info/policy_use.htm
Many thanks to Sam Bowne for allowing to publish these presentations.
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...TrustBearer
TrustBearer's Brian Kelly gave this presentation during the Identity Management track at the Virginia Security Summit in Richmond, VA. It compares SAML to OpenID and explains how different authentication methods can be used with either of these Single Sign On standards.
CIS 2015 Extreme OpenID Connect - John BradleyCloudIDSummit
Entreprises are deploying more applications to workers phones and tablets. These applications are currently all using separate authentications to establish user identity and authorization.
This session will look at how the Native Application profile of OpenID Connect creates a local token broker on the device to centralize authentication for multiple enterprise and SaaS applications on a device.
This can be used to increase security by enabling additional authentication factors and a enhanced view of device posture, as well as increasing usability, bu reducing the number of unnecessary authentications that interrupt the users work flow every day.
Practical security - access control, least privilege, cryptography at work, security attacks and pen testing your system with MetaSploit. The enemy knows the system. Not security by obscurity
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...APIsecure_ Official
APIsecure - April 6 & 7, 2022
APIsecure is the world’s first conference dedicated to API threat management; bringing together breakers, defenders, and solutions in API security.
Why Assertion-based Access Token is preferred to a Handle-based one?
Yoshiyuki Tabata, Software Engineer at Hitachi
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...Brian Campbell
Gluecon 2012 presentation on using OAuth 2.0 with mobile applications to utilize social logins. "Is that a token in your phone in your pocket or are you just glad to see me? OAuth 2.0 and Mobile Devices"
This talk was held during the Magento Developers Paradise 2012. It describes the possibilities of PayPal's Adaptive Payments and how to use them in combination with Magento.
Let's get started with passwordless authentication using windows hello in you...Chris Ryu
This demonstrates deploying your own FIDO authentication infrastructure to your Azure. Deploy a FIDO server and describe how Windows Hello works with the FIDO server. With Windows Hello and FIDO Server, you can implement secure authentication on your infrastructure.
If people is considering passwordless system in their own cloud infrastructure, this session can provide such as their requirement. This shows how to deploy FIDO 1.0, 2 to their infra structure to implement passwordless system in their infrastructure for desktop & mobile.
Slides used to spread awareness between mobile developers and back-end developers on how to follow best practices to secure back-end HTTP services and avoid common pitfall and leaky APIs, OAuth 2.0 used to as solution for securing the HTTP Services.
Mobile Authentication - Onboarding, best practices & anti-patternsPieter Ennes
We know and love our authentication standards for the web, yet on mobile we often still resort to usernames & passwords in our apps.
This presentation explores OpenID Connect (OIDC) and OAuth 2.0 in the context of mobile apps to see how they decouple authentication logic from your app and promote simpler and more flexible patterns for user authentication and API authorization.
This presentation was first given in the London Mobile Security Meetup
https://www.meetup.com/London-Mobile-Developer-Security/
John Bradley, Senior Technical Architect, Ping Identity
OAuth 2.0 is the future of API Security, allowing software clients to request and use access tokens to access necessary APIs rather than caching and replaying usernames and passwords on every API fetch. John Bradley will explain the OAuth 2.0 protocol from top to bottom. Response types, authorization codes, front-channel vs. back-channel architecture decisions, security considerations and best practices will all be discussed. If you want to really understand OAuth, this session will dig deep.
CIS 2015 OpenID Connect and Mobile Applications - David ChaseCloudIDSummit
Look under the hood of several applications that implement the standard using various profiles and discuss the benefits of OpenID Connect versus OAuth2.0. Our goal is to deepen
understanding of the protocol and its uses.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
2. Agenda
• TrialPay Overview
• Securing Your Startup: Basics
• Two-Factor Authentication for VPN
• Two-Factor Authentication for SSHD
• Credit Card Vault
All Rights Reserved | Copyright 2011 2
3. TrialPay is a transactional advertising company
TrialPay presents consumers with relevant promotions before, during, and after
transactions -- creating a network that allows our clients to gain access to millions of
new customers and monetize their current visitors more effectively
All Rights Reserved | Copyright 2011 3
4. Tracking online promotions to sales in-store via card-loaded offers
1 Promotion 2 Tracking 3 Purchase 4 Reward
Promote offline offers: Users activate online: Track offline: Offer Reward user: We credit
Offers promoted across Users activate offers by redemptions tracked in- user with their reward
the web, mobile, & social submitting credit or debit store via registered card (e.g. statement
media (incl. TrialPay card to attribute online source credit, virtual currency, gift
network of 300M+ users) card) upon offer
completion
All Rights Reserved | Copyright 2011 4
6. Agenda
• TrialPay Overview
• Securing Your Data: Basics
• Two-Factor Authentication for VPN
• Two-Factor Authentication for SSHD
• Credit Card Vault
All Rights Reserved | Copyright 2011 6
7. Getting Started
• Google Apps Two-Factor Authentication (2FA)
• Amazon Web Services 2FA and ACLs
• Secure Wireless Network – per-user certs
• HTTPS for everything
All Rights Reserved | Copyright 2011 7
8. Passwords
Reference: http://xkcd.com/936/
All Rights Reserved | Copyright 2011
9. Passwords (cont’d)
• 14-character password minimums, but more never hurts!
• Basic GPU can crack 16B passwords per second
• Make sure shadow files are configured correctly (e.g. crypt-sha512, not default
DES or md5, 50K rounds)
• GOOD:
$6$rounds=50000$usesomesillystri$D4IrlXatmP7rx3P3InaxBeoomnAihCKRVQP22JZ6E
Y47Wc6BkroIuUUBOov1i.S5KPgErtP/EN5mcO.ChWQW21
• BAD: $1$DaqXb3sb$m84WH8wkxBVl2WvZQboia.:13530:0:99999:7:::
All Rights Reserved | Copyright 2011 9
10. Agenda
• TrialPay Overview
• Securing Your Data: Basics
• Two-Factor Authentication for VPN
• Two-Factor Authentication for SSHD
• Credit Card Vault
All Rights Reserved | Copyright 2011 10
11. 2FA for VPN – Standard VPN Login
1) Connect to VPN Client 2) Enter Credentials
3) VPN Device 4) Inside the VPN!
Authenticates
All Rights Reserved | Copyright 2011 11
12. 2FA for VPN – Traditional 2FA
• Traditional solutions use tokens (hardware, Google Authenticator, text messages)
• Unintuitive input of token (concatenate with password)
• IT burden
• Hassle for end-user accessing VPN multiple times per day
• Wouldn’t it be nice to leverage existing security mechanism?
All Rights Reserved | Copyright 2011 12
13. 2FA for VPN – Enter Google Apps!
• User 1-click visits a Google App Engine hosted site https://xxxxxxxx.trialpay.com
which auto-logs you in on browsers where you already read your Google Apps
email.
• This page just shows a 60 second timer for the user to complete the rest of the
VPN login process.
All Rights Reserved | Copyright 2011 13
14. 2FA for VPN – Technical Details
• Google App Engine – python script to get username from Google Apps and
create 60-second memcache key
• Auth Server – add Perl script to authorize with Google App Engine site
• Reference: http://enginerds.trialpay.com/2013/01/08/leveraging-google-apps-email-to-set-up-two-factor-authentication
All Rights Reserved | Copyright 2011 14
15. Agenda
• TrialPay Overview
• Securing Your Data: Basics
• Two-Factor Authentication for VPN
• Two-Factor Authentication for SSHD
• Credit Card Vault
All Rights Reserved | Copyright 2011 15
16. 2FA for SSHD – Background
• For bastion / entrypoint servers into network, passwords by themselves are
insufficient
• Tokens are viable, but introduce complexity / hassle
• SSH keys are convenient for developers
• Passphrase-protected SSH keys are encouraged and can suffice for 2FA, but SSHD
cannot enforce passphrase-usage
• SSHD supports multiple authentication schemes, but they cannot be enforced
simultaneously
All Rights Reserved | Copyright 2011 16
17. 2FA for SSHD – ForceCommand to the rescue!
• /etc/ssh/sshd_config
• sshd_gatekeeper.sh
• IP whitelisting
• Send intrusion alerts
• Don’t forget to actually check the password!
• Reference: http://enginerds.trialpay.com/2012/07/24/dual-factor-authentication-for-sshd/
All Rights Reserved | Copyright 2011 17
18. Agenda
• TrialPay Overview
• Securing Your Data: Basics
• Two-Factor Authentication for VPN
• Two-Factor Authentication for SSHD
• Credit Card Vault
All Rights Reserved | Copyright 2011 18
19. Credit Card Vault
• Best practice is to insulate sensitive credit card data from rest of system in a
secure “vault”
• Vault has two major services: tokenizer and proxy
All Rights Reserved | Copyright 2011 19
20. Credit Card Vault – Tokenizer
1 Browser 2
App server Vault
CC #
4 CVV 3
submit
1. HTML form is served from App server
2. The information provided by the user is sent directly to the vault by
the browser (running JavaScript code from App)
3. The vault issues a token that maps to the credit card number
4. The browser sends the token and other non-sensitive information to
App server
All Rights Reserved | Copyright 2011
21. Credit Card Vault – API request proxy
1 2
3rd party
App server Vault
i.e. Visa
4 3
• This assumes that 3rd party service’s API is HTTP based
• Vault acts as a HTTP proxy with token to CC number translation
1. App server sends a HTTP request via Vault
GET /auth?cc=token:1234&amount=4.00
Host: api.visa.com
2. Vault substitutes token:1234 with real CC number and relays the request to Visa
GET /auth?cc=4444000012344321&amount=4.00
Host: api.visa.com
3. Visa processes the transaction and responds with a transaction id
4. Vault passes Visa’s response back to app
All Rights Reserved | Copyright 2011
22. Credit Card Vault – Key Encryption
• Encrypt cardholder data using highest-grade standards (e.g. AES-256)
• Standard mechanism is to use a global key
• But what if key is compromised?
• Instead take a multi-layer approach
• Master key + per-card key
• Cardholder data stored in one DB
• Per-card keys stored in another DB (and managed by a separate team)
All Rights Reserved | Copyright 2011 22
23. Credit Card Vault – Token Generation
• Token = 64-bit unique id, maps to cardholder data
• Exposing last 4 CC digits in app is common use case, try encoding into token, e.g.
• Token: 1304274640000970420
• Last 4: 0742
• Even though cardholder data cannot be reverse engineered based on token,
better safe than sorry! Encrypt token in response back to app server.
• payload = {“token” => “1234”, “info1” => “abc”, “info2” => “def”}
• message = {“payload” => aes_encrypt(payload), “aes_iv” => “09...AF” }
• output(json_encode(message))
All Rights Reserved | Copyright 2011 23
24. Credit Card Vault – Other things to consider
• 2FA to physically access datacenter (password + handscan)
• Additional firewall layer in front of CC Vault
• Backups stored remotely for disaster recovery
All Rights Reserved | Copyright 2011 24
25. Thank You!
• We’re Hiring!
• Eddie Lim (eddie@trialpay.com)
All Rights Reserved | Copyright 2011 25