TransKrypt Security Server

Transcription

1 TransKrypt Security Server Overview Security of transactions is a fundamental requirement for payment transaction industry and this becomes even more critical as the volume of payments are growing at a faster pace from the new generation mobile and broadband based IP payment terminals and devices. For payment transactions there is a need for securing data exchanged between the inherently insecure POS terminals like non SSL POS terminals and dial POS terminals. Securing the transaction session between terminals and the transaction processing systems is paramount as this data is traversing the least secure public networks. Data encryption from POS terminals, Certificate verification of the client POS devices Certificates, Tokenization of card holder data are multiple mechanisms for ensuring the security of the payment transaction data originating from the millions on payment initiating devices and flowing through the public networks comprising dial, broadband and mobile technologies across the world. Several procedures are followed in the industry today towards achieving the security objectives and the establishment of the Point To Point Encryption(P2PE) standards by PCI Security Standards Council has helped to enable the industry to provide advanced security solutions for those devices dealing with card holder data. Point-to-Point Encryption (P2PE) solutions facilitate the objective of reducing the scope of PCI DSS assessment for merchants using such solutions by reducing the scope of their cardholder data environment and annual PCI DSS assessments. Based on standards requirements, P2PE solution are required to use secure cryptographic devices like host/hardware security modules (HSM) for the encryption and decryption of payment-card data, as well as for the storage and management of cryptographic keys. NewNet s TransKrypt Security Server is a comprehensive security server solution aimed at offering multiple security solutions which are auxiliary in function but crucial to payment transaction processing. The capability included in this solution is P2PE for supporting data encryption from POS terminals. Secure cryptographic devices used for cryptographickey management functions and/or the decryption of account data are host/hardware security modules (HSMs), which are approved and configured to FIPS140-2 (levels 2 & 3). TransKrypt Point To Point Encryption (P2PE) System TransKrypt Security Server system offers the P2PE solution for Acquirers/Processors and Service Providers working in conjunction with approved point of interaction devices that are certified for usage in a P2PE environment. The P2PE solution supported by TransKrypt Security Server is based on ANSI X9.24 standards specified DUKPT mechanisms. The NewNet TransKrypt Security Server utilizes FIPS Level 2 HSM solution to store sensitive data like encryption keys securely and provide encryption and decryption capabilities. TransKrypt Security Server solution provides the following feature working in conjunction with the NewNet AccessGuard and Total Control STG systems which aggregates, switches and routes transaction from POS devices : P2PE capability for Terminal Line Encryption using Derived Unique Key Per Transaction (DUKPT) P2P Encryption from POS to AccessGuard/Total Control STG In a generic scenario, the transaction request from POS terminal to payment processing gateway needs to be encrypted. The following steps are part of this process to ensure the transaction is encrypted from the POS and further send securely to the payment switching and routing systems to further forward these transactions securely to the Authorization servers. Encryption Algorithm: 3DES or AES crypto algorithm is used for encryption. Each transaction will have unique key to encrypt transaction requests and responses. Key Generation: Key generation is based on DUKPT standards as specified by ANSI X9.24. Base keys are generated and stored in the TransKrypt Security Server within the HSM and the initial keys are securely delivered through Public Key Infrastructure (PKI) procedures directly or through the Terminal Management Systems (TMS) to the POS devices towards generating the unique keys for each transaction. Keys for Encryption at POS: Key is generated dynamically with each transaction. The POS terminal while doing the current transaction will generate the next one and store it. The key for the current transaction is cryptographically changed to the key for the next transaction.

2 Keys for Decryption at AG/STG AG/STG interfaces with the TransKrypt Security Server which has the base key of all keys- the Super-secret key. When the POS sends the encrypted payload it also sends meta data including terminal identifier and transaction counter. With the meta-data and the Super-secret key in the TransKrypt Security Server, AG/ STG systems would cryptographically generate the same key that terminal used for the encryption. Standards Compliance Compliant to the PCI Security standards for P2PE systems for the process of decrypting the transaction data and generation and storage mechanism for the keys used for obtaining the unique keys per transaction. The TransKrypt Security Server system can be used to generate a Base Derivation Key (BDK) for each Acquirer or Merchant. The BDK generated is stored in the HSM and cannot be retrieved from the system. From the BDK, for each POS terminal an Initial Phase Encryption Key (IPEK) can be generated. The POS receives IPEK securely and uses the IPEK with cryptographic processes to generate a new encryption key to encrypt the transaction. The transaction aggregating and switching/routing systems like AccessGuard or Total Control gateways contacts the TransKrypt Security Server SSL with valid certificate to retrieve the IPEK for a specific POS. Hardware Security Module (HSM) TransKrypt Security Server uses Cavium HSM PCI-e card to generate and store keys securely. The HSM used is FIPS compliant with physical and logical cryptographic boundaries that offer secure, tamper-proof enclosure which acts as a barrier and ensure that all components are encompassed within the cryptographic boundary and ensures that keys are cleared if enclosure is breached. Derived Unique Key Per Transaction (DUKPT) Derived Unique Key Per Transaction (DUKPT) is a key management scheme in which for every transaction, a unique key is used which is derived from a fixed key. Therefore, even if a derived key is attempted to be compromised, future and past transaction data are still protected since the next or prior keys are quite difficult to be determined. DUKPT implementation is as specified in ANSI X9.24 part 1. Full Payload or Sensitive Field Encryption TransKrypt Security Servers P2PE solution offers the option to select from the possible usage of entire transaction data being encrypted or only selected fields being encrypted. This allows the flexibility for Acquirers, Processors and Service providers to work the POS device SW to handle the encryption process in a convenient manner as supported on the client devices. In a full payload encryption the entire data is encrypted apart from any routing specific protocol headers. If only specific fields need to be encrypted the sensitive data fields including PAN, CC1/2, CVV etc are encrypted to ensure the integrity of transactions and securing the cardholder information. Integrated Bi-Directional Solution TransKrypt Security Server solution works together with the AccessGuard and Total Control STG systems to offer a full-fledged P2PE solution allowing the transport and routing of encrypted data from the POS to the Authorization Host direction. The traffic in the reverse direction for the authorization response from the Host server to the POS terminal is also encrypted thereby leaving no part of transaction to be left un-encrypted. Key System Benefits FIPS secure key generation server Secure key storage. Generate multiple BDKs Generate IPEK based on BDK Redundancy with a standby Server and HSM cloning PCI Standards compliant Integrated Server HW, HSM HW and Application SW Future support of Certificate Authority application and Tokenization P2PE Benefits BDK generation or upload per Acquirer/Merchant ID IPEK generation based on Acquirer/Merchant ID Storage of up to 4096 keys in HSM Redundancy using Dual TransKrypt Security Server Support 7500 RSA operations/sec and 50K concurrent sessions Oracle Berkeley DB for internal storage 2

3 Diagram of Initialization of POS by Obtaining Initial Keys with PKI from TransKrypt TransKrypt Security Server With HSM BDK: Base Derivation Key 3. Security Server generates and stores BDK and derives IPEK for specific POS Terminals based on KSI IPEK: Initial Phase Encryption Key KSI: Key Set ID 2. STG / AG verifies the Terminal identity (ID, ANI/IP, Certificate) and forwards request 4. IPEK forwarded securely to STG/AG along with Security Server s Certificate Dial/GPRS/IP POS Terminal 1. Initialization request from POS Terminal with Terminal ID, Acquirer #, KSI, Public Key/Certification of POS 5. IPEK Securely Transferred to POS Terminal from Security Server along with certificate of Security Server Diagram of Message and Event Flow for Transaction Processing with TransKrypt TransKrypt Security Server With HSM AG/STG Systems 3. Security Server identifies BDK using KSI and derives IPEK 2. STG/AG sends KSI, TRSM ID to Security Server securely 4. IPEK send securely from Security Server to STG/AG 1. Unique key Encrypted Transaction Request from POS from KSI, TRSM, ID, Counter 5. STG/AG uses IPEK and generates unique key to decrypt request 6. Decrypted Transaction Request to Host Server Authorization Host Server Dial/GPRS/IP POS Terminal 9. Encrypted Transaction Response to POS 7. Transaction Response from Host 8. STG/AG encrypts response to POS with unique key 3

4 Technical Specifications Hardware Chassis 2U Rack Mount Server Dimensions: Height: 3.44 Width: (Standard 19 rack mountable) Depth: 29.5 Low profile (2.1 x 6.6 ) PCIe form factor HSM Operating Requirements VAC, VAC Max power consumption: VAC Nominal operating range: Temperature: 10 to 35 C Humidity: 10% to 90% Non-nominal operating range: Temperature: -30 to -60 C Humidity: 5% to 95% Shipping Conditions: -40 to 60 C Humidity: 5% to 95% Shipping Conditions: -40 to 60 C Physical Interfaces RJ-45 (4 ports of 10/100/1000 Mbps) Optional 2 ports of 1/10Gbps Security Softwares OpenSSL and TurboSSL PKCS#11 Crypto OpenSSH Security Storage Physical and logical Cryptographic boundaries - Secure and tamper evident enclosure - All keys are secured within cryptographic boundary API libraries for Card and key management 4

5 About NewNet Communication Technologies, LLC NewNet Communication Technologies, LLC is a global provider of innovative solutions for next generation mobile technology. For over 25 years, NewNet has enabled global operators and equipment manufacturers to rapidly develop and deploy cutting edge, revenue generating solutions needed to build, grow and improve global communications. NewNet specializes in Mobile Messaging, Secure Transaction Transport, Interactive Voice Response, Real Time Charging and Rating, Wireless Broadband and Network Optimization solutions that have reached millions of end users in over 90 countries. To learn more about the TransKrypt or the NewNet Secure Transaction Portfolio which transports 1 in every 5 transactions around the world, Visit Copyright 2014 NewNet Communication Technologies. All rights reserved