Lessons Learned from Implementing Existing Standards Dos and Don'ts for Implementing Authentication Standards

1
Lessons Learned from Implementing Existing
Standards Dos and Don'ts for Implementing
Authentication Standards

• Jeff Stapleton, CISSP, CTGA, QSA
• Cryptographic Assurance Services LLC
• X9F4 Working Group
• Information Assurance Consortium
• Payment Card Industry (QSA)

2
Agenda

• Standards Organizations
• Authentication Case Studies
• TG-3 PIN Compliance
• SET Brand CA Compliance
• WebTrust for CA Compliance
• PCI DSS Compliance
• Other Standards
• Summary.

3
Standards Organizations
Informal Organizations
Formal Organizations
ISO
ANSI
USA Member
IETF
JTC1
INCITS
NIST
US TAG
TC68
X9
CABF
US TAG

• ISO International Standards
• 172 countries
• 248 Technical Committees
• 3000 standards

• ANSI USA National Body
• 820 organizations
• 284 accredited groups

• IETF Internet
• (?) individuals
• 118 subgroups
• 5734 specifications

• TC68 Financial Services
• 63 countries
• 11 Subgroups
• 50 standards

• X9 Financial Services
• 150 organizations
• 15 subgroups
• 115 standards

• NIST Federal Government
• 30 subgroups
• 10,000 documents

• JTC1 Information Technology
• 85 countries
• 19 Subgroups
• 357standards

• INCITS Information Technology
• 1700 organizations
• 40 subgroups
• (?) standards

• CA Browser Forum
• 42 members
• 5 documents

4
Case Studies

• TG-3 PIN Compliance
• TG-3 Compliance
• TG-3 Assessments
• SET Brand CA Compliance
• SET Brand CA Compliance
• SET Brand CA audits
• WebTrust for CA Compliance
• WebTrust for CA Compliance
• WebTrust for CA Evaluations
• PCI DSS Compliance
• PCI Compliance
• PCI (QSA) Assessments

• Two slides per topic
• Compliance program
• Compliance effort
• Four case studies
• Facts
• Issues
• Stories

5
TG-3 PIN Compliance

• X9 TG-3 (TR-37) Retail Financial Services
  Compliance Guideline for Online PIN Security and
  Key Management
• ANSI X9.8 PIN Management and Security
• ANSI X9.24 Retail Financial Services Symmetric
  Key Management
• Part 1 Using Symmetric Techniques
• Part 2 Using Asymmetric Techniques for
  Distribution of Symmetric Keys
• Adopted by EFT Networks in 1996
• Pulse wholly owned subsidiary of Discover
  Financial Services
• STAR wholly owned subsidiary of First Data
  Resources (FDR)
• NYCE wholly owned subsidiary of Metavante
• Certified TG-3 Assessor (CTGA)
• ISO 9564 PIN Management and Security
• ISO 11568 Banking Key Management Retail
• EMV Integrated Circuit Card Specification for
  Payment System (offline)

6
TG-3 Assessments

• Prescriptive checklist
• Reviews
• Interviews
• Inspections
• Observations
• Tests

• Symmetric Keys
• General Security Controls
• TRSM Controls
• General Key Management
• Additional Key Management
• Asymmetric Keys
• General Asymmetric Controls
• Asymmetric Controls
• Mutual Authentication
• Credential Management
• Additional Asymmetric Controls

Exception
Exception
7
SET Brand CA Compliance

• Secure Electronic Transaction (SET)
• Book 1 Business Description
• Book 2 Programmers Guide
• Book 3 Formal Protocol Definition
• Visa and MasterCard 1995 2003
• Participants
• 16 companies involved
• 50 key individuals involved
• Brand CA
• JCB Japan
• MasterCard (MC) USA
• PBS Denmark
• Visa USA
• Cyber-Comm (CC) France

8
SET Brand CA Audits

• Brand CA Control Objectives (TG-3)
• ANSI X9.79 PKI Policy and Practices
• Policy Authority (PA)
• Certificate Issuer (CI)
• Certificate Manufacturer (CM)
• Registration Authority (RA)
• Repository (Rep)
• Subscriber (Sub)
• Relying Party (RP)
• PKI Standards
• WebTrust for CA
• ISO 21188

Exception
Exception
9
WebTrust for CA Compliance

• ANSI X9.79 PKI Policy and Practices
• CA control criteria submitted to AICPA and CICA
• Redeveloped as WebTrust for CA
• Auditing standard WebTrust for CA
• Licensed in 37 countries by CPA (or equivalent)
• Mandated by most states as SAS 70 criteria
• Mandated by all Browser Vendors
• CA Browser Forum
• Extended Validation (EV) Audit Criteria
• EV Certificate Issuance and Management Guide
• EV Certificate Usage Guide
• ISO 21188 PKI Policy and Practices

10
WebTrust for CA Evaluations

• Audit performed by licensed CPA (or equivalent)
• American Institute of Certified Public
  Accountants
• Canadian Institute of Chartered Accountants
• WebTrust for CA
• WebTrust for CA Extended Validation (EV)
• Evaluation is Readiness Check for Audit
• Validate CP and CPS (RFC 3647)
• Validate X.509 certificates (RFC 5280)
• Validate Subscriber (EV) Agreement
• Validate Operational Procedures
• Controls over Root CA (offline) and Subordinate
  CA (online)
• Controls over SSL and VPN implementations

11
PCI Compliance

• Payment Card Industry Security Standards Council
  (PCI SSC)
• Expansion of the Visa Cardholder Information
  Security Program (CISP)
• Visa, MasterCard, Amex, Discover, JCB established
  in 2006
• 500 Participating Organizations
• PCI Data Security Standard (DSS)
• Qualified Security Assessor (QSA) Company
• Approved Scanning Vendor (ASV) Company
• Penetration Tester qualifications and test
  results undefined
• Wireless controls scattered throughout
  requirements
• PCI Payment Application Data Security Standard
  (PA-DSS)
• Payment Application Qualified Security Assessor
  (PA-QSA) Company
• PCI PIN Transaction Security (PTS)
• Formerly PIN Encryption Device (PED) compliance
  program
• Visa and MasterCard PIN compliance programs

12
PCI (QSA) Assessments

• PCI DSS v1.2 protect cardholder data
• Requirement 1 Install and maintain a firewall
• Requirement 2 Do not use vendor-supplied
  defaults
• Requirement 3 Protect stored cardholder data
• Requirement 4 Encrypt transmission of cardholder
  data
• Requirement 5 Manage anti-virus software
• Requirement 6 Software assurance
• Requirement 7 Restrict access by business need
  to know
• Requirement 8 Assign a unique ID
• Requirement 9 Restrict physical access
• Requirement 10 Track and monitor all access
• Requirement 11 Regularly test security systems
• Requirement 12 Maintain information security
  policy
• Wireless controls scattered throughout
  requirements

13
Other Authentication Standards

• ANSI Standards
• X9.84 Biometric Management and Security
• X9.95 Trusted Time Stamps (TSA)
• X9.112 Wireless Management and Security (802.11x)
  
• Work in Progress
• X9.117 Mutual Authentication
• X9.112 Wireless Part 3 Mobile Banking (TSM)
• Gaps no password standard
• Green Book CSC-STD-002-85 (1985) Password
  Management
• FIPS 112 (1985) Password Usage withdrawn 2005
• ANSI X9.26 (1990) Financial Institution Sign-On
  Authentication for Wholesale Transactions
  withdrawn 1999

14
Summary

• Many standards to choose from
• Many technologies to choose from
• Many compliance programs to follow
• Many today more tomorrow
• Change is inevitable
• Watch out for technology transitions
• Mergers and acquisitions
• New vulnerabilities
• Technology breakthroughs
• Compliance is a journey, not a destination