Lessons Learned from Implementing Existing Standards

Dos and Don'ts for Implementing Authentication Standards

Jeff Stapleton, CISSP, CTGA, QSA

Cryptographic Assurance Services LLCX9F4 Working GroupInformation Assurance ConsortiumPayment Card Industry (QSA)

Agenda

• Standards Organizations• Authentication Case Studies

– TG-3 PIN Compliance– SET Brand CA Compliance– WebTrust for CA Compliance – PCI DSS Compliance

• Other Standards • Summary………………….

2

InformalOrganizations

InformalOrganizations

Formal Organizations

US TAG

Standards Organizations

3

ISO

TC68

JTC1

ANSI

X9

INCITS NIST

IETF

CABFUS TAG

USA Member

ISO: International Standards•172 countries•248 Technical Committees•~3000 standards

TC68: Financial Services•63 countries•11 Subgroups•50 standards

JTC1: Information Technology•85 countries•19 Subgroups•357standards

ANSI: USA National Body•820 organizations•284 accredited groups

X9: Financial Services•150 organizations•15 subgroups•115 standards

INCITS: Information Technology•1700 organizations•40 subgroups•(?) standards

IETF: Internet•(?) individuals•118 subgroups•5734 specifications

NIST: Federal Government•~30 subgroups•+10,000 documents

CA Browser Forum•42 members•5 documents

Case Studies• TG-3 PIN Compliance

– TG-3 Compliance– TG-3 Assessments

• SET Brand CA Compliance– SET Brand CA Compliance– SET Brand CA “audits”

• WebTrust for CA Compliance– WebTrust for CA Compliance – WebTrust for CA Evaluations

• PCI DSS Compliance– PCI Compliance – PCI (QSA) Assessments

• Two slides per topic– Compliance program– Compliance effort

• Four case studies– Facts– Issues – Stories

4

TG-3 PIN Compliance

• X9 TG-3 (TR-37) Retail Financial Services Compliance Guideline for Online PIN Security and Key Management – ANSI X9.8 PIN Management and Security– ANSI X9.24 Retail Financial Services – Symmetric Key Management

• Part 1: Using Symmetric Techniques• Part 2: Using Asymmetric Techniques for Distribution of Symmetric Keys

• Adopted by EFT Networks in 1996 – Pulse; wholly owned subsidiary of Discover Financial Services – STAR; wholly owned subsidiary of First Data Resources (FDR)– NYCE; wholly owned subsidiary of Metavante – Certified TG-3 Assessor (CTGA)

• ISO 9564 PIN Management and Security• ISO 11568 Banking – Key Management – Retail • EMV Integrated Circuit Card Specification for Payment System (offline)

5

Exception

Exception

Control Objective Yes No N/A

Procedures… _ _ _

Procedures… _ _ _

Procedures… _ _ _

Procedures… _ _ _

Procedures… _ _ _

Procedures… _ _ _

Procedures… _ _ _

Procedures… _ _ _

Procedures… _ _ _

TG-3 Assessments

• Prescriptive checklist– Reviews– Interviews – Inspections– Observations– Tests

• Symmetric Keys– General Security Controls– TRSM Controls– General Key Management– Additional Key Management

• Asymmetric Keys– General Asymmetric Controls– Asymmetric Controls– Mutual Authentication– Credential Management– Additional Asymmetric Controls

6

SET Brand CA Compliance

• Secure Electronic Transaction (SET)– Book 1: Business Description – Book 2: Programmer’s Guide – Book 3: Formal Protocol Definition – Visa and MasterCard: 1995 – 2003

• Participants – 16+ companies involved – 50+ key individuals involved

• Brand CA – JCB; Japan– MasterCard (MC); USA– PBS; Denmark – Visa; USA – Cyber-Comm (CC); France

7

SET

MC Visa

R

M PGU

Brand CA

Root CA

Regional Geo-Political CA

User CA Merchant CA PaymentGateway CA

User M PG

SET Brand CA “Audits”• Brand CA Control Objectives (TG-3) • ANSI X9.79 PKI Policy and Practices

– Policy Authority (PA)– Certificate Issuer (CI)– Certificate Manufacturer (CM)– Registration Authority (RA)– Repository (Rep)– Subscriber (Sub)– Relying Party (RP)

• PKI Standards– WebTrust for CA– ISO 21188

8

SET

JCB

MC

CA of JapanCA of Japan

Bank of JapanBank of Japan Sumitomo BankSumitomo Bank

FujitsuFujitsu

MerchantMerchant ConsumerConsumer

PA

CI

CM

RA

RP

Rep

Sub

PA

Rep RA

Exception

Exception

Control Objective

Yes No N/A

Procedures…

_ _ _

Procedures…

_ _ _

Procedures…

_ _ _

Procedures…

_ _ _

Procedures…

_ _ _

Procedures…

_ _ _

Procedures…

_ _ _

Procedures…

_ _ _

Procedures… _ _ _

WebTrust for CA Compliance

• ANSI X9.79 PKI Policy and Practices – CA control criteria submitted to AICPA and CICA– Redeveloped as WebTrust for CA

• Auditing standard: WebTrust for CA – Licensed in 37 countries by CPA (or equivalent) – Mandated by most states as SAS 70 criteria – Mandated by all Browser Vendors

• CA Browser Forum– Extended Validation (EV) Audit Criteria – EV Certificate Issuance and Management Guide– EV Certificate Usage Guide

• ISO 21188 PKI Policy and Practices

9

X

X

Organization

Auditor

ServiceProvider

Auditor

OutSourced

SAS 70

WebTrust for CA Evaluations

• Audit performed by licensed CPA (or equivalent)– American Institute of Certified Public Accountants– Canadian Institute of Chartered Accountants– WebTrust for CA– WebTrust for CA Extended Validation (EV)

• Evaluation is “Readiness” Check for Audit– Validate CP and CPS (RFC 3647) – Validate X.509 certificates (RFC 5280) – Validate Subscriber (EV) Agreement – Validate Operational Procedures – Controls over Root CA (offline) and Subordinate CA (online) – Controls over SSL and VPN implementations

10

Public Key Certificate

PCI Compliance

• Payment Card Industry Security Standards Council (PCI SSC)– Expansion of the Visa Cardholder Information Security Program (CISP)– Visa, MasterCard, Amex, Discover, JCB established in 2006– 500+ Participating Organizations

• PCI Data Security Standard (DSS) – Qualified Security Assessor (QSA) Company – Approved Scanning Vendor (ASV) Company– Penetration Tester qualifications and test results undefined– Wireless controls scattered throughout requirements

• PCI Payment Application Data Security Standard (PA-DSS)– Payment Application Qualified Security Assessor (PA-QSA) Company

• PCI PIN Transaction Security (PTS) – Formerly PIN Encryption Device (PED) compliance program – Visa and MasterCard PIN compliance programs

11

PCI (QSA) Assessments• PCI DSS v1.2 “protect cardholder data”

– Requirement 1: Install and maintain a firewall– Requirement 2: Do not use vendor-supplied defaults– Requirement 3: Protect stored cardholder data– Requirement 4: Encrypt transmission of cardholder data– Requirement 5: Manage anti-virus software– Requirement 6: Software assurance – Requirement 7: Restrict access by business need to know– Requirement 8: Assign a unique ID – Requirement 9: Restrict physical access– Requirement 10: Track and monitor all access– Requirement 11: Regularly test security systems– Requirement 12: Maintain information security policy

• Wireless controls scattered throughout requirements

12

Other Authentication Standards

• ANSI Standards– X9.84 Biometric Management and Security – X9.95 Trusted Time Stamps (TSA) – X9.112 Wireless Management and Security (802.11x)

• Work in Progress– X9.117 Mutual Authentication – X9.112 Wireless – Part 3: Mobile Banking (TSM)

• Gaps: no password standard – Green Book CSC-STD-002-85 (1985) Password Management – FIPS 112 (1985) Password Usage withdrawn 2005 – ANSI X9.26 (1990) Financial Institution Sign-On Authentication for

Wholesale Transactions withdrawn 1999

13

Summary

• Many standards to choose from • Many technologies to choose from • Many compliance programs to follow

– Many today; more tomorrow – Change is inevitable

• Watch out for technology transitions– Mergers and acquisitions– New vulnerabilities– Technology breakthroughs

• Compliance is a journey, not a destination

14