Gen AI in Business - Global Trends Report 2024.pdf
Encryption vs tokenisation (for share)
1. Encryption vs Tokenisation Witham Laboratories Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 1
2. Agenda Protecting Cardholder Data Cryptography and Tokenisation 101 What’s the difference? Format Preserving Encryption P2PE and TRSM Standards 101 Australian P2PE Implementations PCI SSC P2PE Activity Auditing Encryption and Tokenisation Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 2
3. Protecting Cardholder Data PCI DSS scope = all systems which store/process/transmit card data Render sensitive elements inaccessible PAN, track data, online PIN block, CVV2 Req. 3.4 (storage), 4.1 (transmission) Prevents exposure of card data Comms / storage does not reveal card data Prevents line tapping / memory attacks Encryption & tokenisation referenced Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 3
4. Cryptography 101 Encryption is a keyed reversible function Output ‘looks’ different to input data Generally encrypts data in ‘blocks’ Use standardised encryption algos AES, TDES, ECC, RSA Security is dependant on the ‘key’ The key is just a ‘big’ number Good key management is vital ‘Attack surface’ = key and use of key Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 4
5. Tokenisation 101 Replace PAN with a ‘reference number’ Same format, ‘looks’ like card data PAN not necessary after the transaction Token can be used instead Minimises access to card data Tokenisation system can ‘restore’ PAN Tokenisation is a reversible process How is this done? Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 5
6. Tokenisation 101 Lots of different tokenisation methods Cryptography, look-up, proprietary What are the pros / cons of each??? Beware systems based on global secrets Exploit one system, expose many ‘Attack surface’ depends on: Method of tokenisation used Systems involved in tokenisation method Tokenisation and encryption share some similarities … Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 6
7. Encryption - Visualisation Encryption maps an value from the input domain to a value in the output domain 0 0 Encryption Algo Input domain Output domain Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Key 2(block size) 2(block size) Witham Laboratories Building Confidence in Payment Systems Slide No. 7
8. Encryption - Visualisation Different input values have different output values, based on the value and the key 0 0 Encryption Algo Input domain Output domain Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Key 2(block size) 2(block size) Witham Laboratories Building Confidence in Payment Systems Slide No. 8
9. Encryption - Visualisation Changing the key changes the output values for the same input values 0 0 Encryption Algo Input domain Output domain Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Key 2 2(block size) 2(block size) Witham Laboratories Building Confidence in Payment Systems Slide No. 9
10. Encryption - Visualisation The key, and the use of the key, define the attack surface – the algorithm is public 0 0 Encryption Algo Input domain Output domain Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Key 2 2(block size) 2(block size) Witham Laboratories Building Confidence in Payment Systems Slide No. 10
11. Tokenisation - Visualisation Tokenisation is similar –input values mapped to output values based on secret(s) Lowest PAN value Lowest PAN value Tokenisation System Input domain Output domain Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS ??Key DB Server Highest PAN Value Highest PAN Value Witham Laboratories Building Confidence in Payment Systems Slide No. 11
12. Tokenisation - Visualisation Here the attack surface is not as well defined – it may be a key, DB, server, or other Lowest PAN value Lowest PAN value Tokenisation System Input domain Output domain Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS ??Key DB Server Highest PAN Value Highest PAN Value Witham Laboratories Building Confidence in Payment Systems Slide No. 12
13. What’s the difference? Similarities? 1:1 reversible mapping of input ↔ output Security dependant on secret(s) Differences? For encryption: Lots of study, security standards/products Well known attack methods & mitigations May not ‘play nice’ with existing systems Tokenisation: no standards, little study But compatible … Compromise? Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 13
14. Format Preserving Encryption ‘Normal’ encryption assumes all data is all unformatted binary data Any formatting is ‘lost’ during encryption Problem for format dependant systems Eg databases, existing protocols, data capture devices (eg PINPads) Format preserving encryption (FPE) = encryption without loss of formatting Combines encryption & tokenisation Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 14
15. FPE Common Features Feistel cipher construction Round function = AES, Triple DES Systems may modify inputs for each round Round fn. output trunc’d to FPE block size Remap input/round fn. output as required Encrypt with multiple Feistel rounds # rounds, re-mapping – depends on cipher These details can be important … May only encrypt middle digits of a PAN Ensures card type and luhn check still valid Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 15
16. Feistel Cipher For any round ‘n’ Repeat as necessary … Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 16
17.
18.
19. Recalculate Luhn checkWitham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 17
20. Encryption Implementations FPE most often used in (DB) servers Provides ‘transparent’ encryption and used for tokenisation FPE increasingly a feature in PINPad SW Also in encrypting MSRs, credit terminals Encrypt data without ‘breaking’ POS SW Encryption of comms for PCI DSS Called ‘Point to Point Encryption’ (P2PE) FPE not always used / required What standards exist? Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 18
21. P2PE Standards 101 ISO 10894* “Procedures for Message Encipherment” ANSI X9.119* “Protection of Sensitive Data between Device and Acquiring System” PCI SSC: PTS v3 ‘SRED’ & P2PE reqs* Localised/industry associations and SIGs SPVA, ATMIA, PCI SIGs, Visa & MC, AS2805.9 Secure HW (TRSM) is often required Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 19
22. TRSM Standards 101 FIPS140-2: Four approval levels (1 – 4) L1 generally for SW only – no HW security L2 some tamper evident HW security L3 provides some tamper response L4 full security envelope (hardest level) PCI PTS (previously PCI PED) v1 & v2 = PIN security only, v3 has SRED APCA PED covers PIN security From 2010 requires AS2805.9 keys Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 20
23. Australian EFTPOS Standard(s) AS2805 = Aus. Standard for EFTPOS Key management, encryption, message formats, payment processing Each bank has their own ‘interpretation’ AS2805.9 defines message encryption AS2805.6.x defines key management Unique per transaction (AS2805.6.2) Unique each day / 256 trans (AS2805.6.4) AS2805.6.5.3 for RSA key loading Watch your key lengths! Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 21
24. AS2805.9 Encryption of each EFTPOS message Extract non-sensitive elements Encrypt whole message with TDES OFB Stream mode of TDES; XOR with key (not FPE) Replace non-sensitive elements and send Things to be aware of: OFB: same key = same key stream Same key stream on different transactions allows for recovery of transmitted data AS2805.6.4 keeps same key for many trans Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 22
25. PCI SSC P2PE Activity Released ‘Initial Roadmap: P2PE Technology and PCI DSS Compliance’ Referenced SRED standard for devices Discussed release of audit reqs in 2011 Development is ongoing (under NDA) What can I talk about? SRED is designed for securing card data PCI PIN reqs cover key management 2011 will be an interesting year … Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 23
26. What is SRED? SRED stands for “Secure Reading and Exchange of Data” “Data” refers to Card Holder Data A module of the PCI PTS v3.0 standard PTS = PIN Transaction Security Applies to devices that provide “account data protection” functionality Encryption at Point Of Interaction (POI) Expect to hear more about SRED soon Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Slide No. 24 Witham Laboratories Building Confidence in Payment Systems
27. SRED Device Block Diagram Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Slide No. 25 Witham Laboratories Building Confidence in Payment Systems
28. Audit of Encryption Solutions What encryption algo & modes? Beware anything not AES, TDES, ECC, RSA Key management – who and how? Dual control and split knowledge Unique keys per device/use Key sizes and IVs for stream cipher modes Encryption in TRSM? What standard? Are you sure?? HW, FW, App, context Where is plaintext card data accessible? All possible inputs / outputs? Whitelists? Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 26
29. Tokenisation Auditing How is the tokenisation performed? (Non) Random? Encryption? Details! What is the attack surface of this method? Key, algorithm, DB, system, network, etc Does one exploit result in multiple exposures? Security of tokenisation system At least as per PCI DSS reqs 1.x and 2.x FPE methods used for tokenisation? Refer encryption reqs. Ask for details! Ask for evidence of peer review output Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 27
30. Questions? For further information please contact Andrew Jamieson Technical Manager Witham Laboratories Email: andrew.jamieson@withamlabs.com Phone: +61 3 9846 2751 Witham Laboratories 1/842 High Street East Kew 3102 Melbourne Australia Ph: +61 3 9846 2751 Fax: +61 3 9857 0350 Rambla de Catalunya 38, 8 planta 08007 Barcelona Spain Ph: +34 93 184 27 88 Email: lab@withamlabs.com PCI PTS PCI PIN PCI DSS PA-DSS Witham Laboratories Building Confidence in Payment Systems Slide No. 28