Lessons Learned from Implementing Existing Standards Dos and Don'ts for Implementing Authentication Standards Jeff Stapleton, CISSP, CTGA, QSA Cryptographic Assurance Services LLC X9F4 Working Group Information Assurance Consortium Payment Card Industry (QSA)
Agenda Standards Organizations Authentication Case Studies – TG-3 PIN Compliance – SET Brand CA Compliance – WebTrust for CA Compliance – PCI DSS Compliance Other Standards Summary…………………. 1
Informal Organizations Formal Organizations US TAG Standards Organizations 2 ISO TC68 JTC1 ANSI X9 INCITS NIST IETF CABF US TAG USA Member ISO: International Standards 172 countries 248 Technical Committees ~3000 standards TC68: Financial Services 63 countries 11 Subgroups 50 standards JTC1: Information Technology 85 countries 19 Subgroups 357standards ANSI: USA National Body 820 organizations 284 accredited groups X9: Financial Services 150 organizations 15 subgroups 115 standards INCITS: Information Technology 1700 organizations 40 subgroups (?) standards IETF: Internet (?) individuals 118 subgroups 5734 specifications NIST: Federal Government ~30 subgroups +10,000 documents CA Browser Forum 42 members 5 documents
Case Studies TG-3 PIN Compliance – TG-3 Compliance – TG-3 Assessments SET Brand CA Compliance – SET Brand CA Compliance – SET Brand CA “audits” WebTrust for CA Compliance – WebTrust for CA Compliance – WebTrust for CA Evaluations PCI DSS Compliance – PCI Compliance – PCI (QSA) Assessments Two slides per topic – Compliance program – Compliance effort Four case studies – Facts – Issues – Stories 3
TG-3 PIN Compliance X9 TG-3 (TR-37) Retail Financial Services Compliance Guideline for Online PIN Security and Key Management – ANSI X9.8 PIN Management and Security – ANSI X9.24 Retail Financial Services – Symmetric Key Management Part 1: Using Symmetric Techniques Part 2: Using Asymmetric Techniques for Distribution of Symmetric Keys Adopted by EFT Networks in 1996 – Pulse; wholly owned subsidiary of Discover Financial Services – STAR; wholly owned subsidiary of First Data Resources (FDR) – NYCE; wholly owned subsidiary of Metavante – Certified TG-3 Assessor (CTGA) ISO 9564 PIN Management and Security ISO Banking – Key Management – Retail EMV Integrated Circuit Card Specification for Payment System (offline) 4
Exception Control Objective YesNo N/A Procedures… __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ __ _ TG-3 Assessments Prescriptive checklist – Reviews – Interviews – Inspections – Observations – Tests Symmetric Keys – General Security Controls – TRSM Controls – General Key Management – Additional Key Management Asymmetric Keys – General Asymmetric Controls – Asymmetric Controls – Mutual Authentication – Credential Management – Additional Asymmetric Controls 5
SET Brand CA Compliance Secure Electronic Transaction (SET) – Book 1: Business Description – Book 2: Programmer’s Guide – Book 3: Formal Protocol Definition – Visa and MasterCard: 1995 – 2003 Participants – 16+ companies involved – 50+ key individuals involved Brand CA – JCB; Japan – MasterCard (MC); USA – PBS; Denmark – Visa; USA – Cyber-Comm (CC); France 6 SET MCVisa R MPGU Brand CA Root CA Regional Geo-Political CA User CAMerchant CAPayment Gateway CA UserMPG
SET Brand CA “Audits” Brand CA Control Objectives (TG-3) ANSI X9.79 PKI Policy and Practices – Policy Authority ( PA ) – Certificate Issuer ( CI ) – Certificate Manufacturer ( CM ) – Registration Authority ( RA ) – Repository ( Rep ) – Subscriber ( Sub ) – Relying Party ( RP ) PKI Standards – WebTrust for CA – ISO SET JCB MC CA of Japan Bank of Japan Sumitomo Bank Fujitsu Merchant Consumer PA CI CM RA RP Rep Sub PA RepRA Exception Control Objective YesYes NoNo N/AN/A Procedure s… ___ ___ ___ ___ ___ ___ ___ ___ ___
WebTrust for CA Compliance ANSI X9.79 PKI Policy and Practices – CA control criteria submitted to AICPA and CICA – Redeveloped as WebTrust for CA Auditing standard: WebTrust for CA – Licensed in 37 countries by CPA (or equivalent) – Mandated by most states as SAS 70 criteria – Mandated by all Browser Vendors CA Browser Forum – Extended Validation (EV) Audit Criteria – EV Certificate Issuance and Management Guide – EV Certificate Usage Guide ISO PKI Policy and Practices 8 X X Organization Auditor Service Provider Auditor Out Sourced SAS 70
WebTrust for CA Evaluations Audit performed by licensed CPA (or equivalent) – American Institute of Certified Public Accountants – Canadian Institute of Chartered Accountants – WebTrust for CA – WebTrust for CA Extended Validation (EV) Evaluation is “Readiness” Check for Audit – Validate CP and CPS (RFC 3647) – Validate X.509 certificates (RFC 5280) – Validate Subscriber (EV) Agreement – Validate Operational Procedures – Controls over Root CA (offline) and Subordinate CA (online) – Controls over SSL and VPN implementations 9 Public Key Certificate
PCI Compliance Payment Card Industry Security Standards Council (PCI SSC) – Expansion of the Visa Cardholder Information Security Program (CISP) – Visa, MasterCard, Amex, Discover, JCB established in 2006 – 500+ Participating Organizations PCI Data Security Standard (DSS) – Qualified Security Assessor (QSA) Company – Approved Scanning Vendor (ASV) Company – Penetration Tester qualifications and test results undefined – Wireless controls scattered throughout requirements PCI Payment Application Data Security Standard (PA-DSS) – Payment Application Qualified Security Assessor (PA-QSA) Company PCI PIN Transaction Security (PTS) – Formerly PIN Encryption Device (PED) compliance program – Visa and MasterCard PIN compliance programs 10
PCI (QSA) Assessments PCI DSS v1.2 “protect cardholder data” – Requirement 1: Install and maintain a firewall – Requirement 2: Do not use vendor-supplied defaults – Requirement 3: Protect stored cardholder data – Requirement 4: Encrypt transmission of cardholder data – Requirement 5: Manage anti-virus software – Requirement 6: Software assurance – Requirement 7: Restrict access by business need to know – Requirement 8: Assign a unique ID – Requirement 9: Restrict physical access – Requirement 10: Track and monitor all access – Requirement 11: Regularly test security systems – Requirement 12: Maintain information security policy Wireless controls scattered throughout requirements 11
Other Authentication Standards ANSI Standards – X9.84 Biometric Management and Security – X9.95 Trusted Time Stamps (TSA) – X9.112 Wireless Management and Security (802.11x) Work in Progress – X9.117 Mutual Authentication – X9.112 Wireless – Part 3: Mobile Banking (TSM) Gaps: no password standard – Green Book CSC-STD (1985) Password Management – FIPS 112 (1985) Password Usage withdrawn 2005 – ANSI X9.26 (1990) Financial Institution Sign-On Authentication for Wholesale Transactions withdrawn
Summary Many standards to choose from Many technologies to choose from Many compliance programs to follow – Many today; more tomorrow – Change is inevitable Watch out for technology transitions – Mergers and acquisitions – New vulnerabilities – Technology breakthroughs Compliance is a journey, not a destination 13