Scribd Logo
Upload

Welcome to Scribd!

  • PCI v5 VS v4.1

    Uploaded by

    happyoach
    6 views29 pages

    Original Title

    PCI v5 vs v4

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    6 views29 pages

    PCI v5 VS v4.1

    Uploaded by

    happyoach

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 29




    r
    PCI v5 VS v4.1
    fo
    CT
    BC

    • 2017年8月10

    www.bctest.com
    1 概述

    有什么重要 差别?



    核心物理安全


    核心逻辑安全


    开发协议安全

    r
    fo
    CT

    没有本质上的巨大差别,但是存在不少差别。
    BC

    www.bctest.com
    2 核心物理安全


    物理攻击分值


    多路独立



    环境评估

    r
    毛刺攻击 fo
    CT

    密钥分析
    BC

    磁条卡读卡器

    www.bctest.com
    2.1 物理攻击分值

    仔细对比,v4.1版本和v5版本的附录的分值计算表,发现


    attack time/expertise 发生变化。而knowledge of POI/Access


    to POI/Equipment/Specific Parts没有变化。


    攻击时间分值


    专家等级

    r
    fo
    TC
    BC

    www.bctest.com
    2.1.1 攻击时间分值

    v5 v4





    r
    fo
    C
    仔细看,可以发现 似乎v5在攻击时间分值上更容易通过。
    T

    比如,16小时,v5是4.5分,而v4是3分。或者可以这么说v4擦边不
    BC

    通过的A1 ,提交v5测试很有可能通过了?

    真相是什么?举个栗子(例子)。比如one tamper switch,如果v4是1~2


    小时,到了v5是0.5~1小时。
    随着攻击技术的不断改进,v5在时间评估上更加严格。
    www.bctest.com
    2.1.2 专家等级

    v5 v4





    增加了一个级别,明显的两点

    r
    [1]v5 Skilled 基本等同v4 Proficient级别
    fo
    [2]v5 Proficient的技术水平>v4 Proficient的技术水平
    CT
    BC

    www.bctest.com
    2.2 多路独立




    A2,K1.2移除,因为PCI现在认为满足A1 一定满足A2/K1.2


    r
    fo
    C
    T
    BC

    www.bctest.com
    2.3 环境评估

    当年的A3,如今的A2





    r
    fo
    实验室可以复用厂家提供的报告。为了缩短评估周期,请厂家配合提
    供详细的温度和电压测试文档。
    CT

    高低温 高低压
    BC

    www.bctest.com
    2.4 毛刺攻击

    当年的A4,如今的A3





    r
    v5版本除了guidance,还在具体的DTR项 TA3.13增加了要求。
    fo
    C
    T
    BC

    www.bctest.com
    2.5 密钥分析

    当年的A6,如今的A5





    r
    仅支持DUKPT等一次一密的终端,豁免。
    fo
    CT
    BC

    www.bctest.com
    2.6 磁条卡读卡器

    当年的A9,如今的A8





    r
    magnetic reader on either side
    fo
    T C
    BC

    www.bctest.com
    3 核心逻辑安全


    逻辑异常 任意数据加解密


    固件认证 安全策略



    固件升级

    r
    随机数 fo
    CT

    密钥管理
    BC

    加密算法测试

    www.bctest.com
    3.1 逻辑异常

    B2





    r
    fo
    [1]请提交test application的源代码
    C
    [2]厂家如果自己有做fuzzing测试,请提交测试方法说明和测试结果详细
    T

    报告。
    BC

    www.bctest.com
    3.2 固件认证

    固件版本号





    r
    fo
    TC
    BC

    [1]没有设置编译器选项,缓解已知漏洞,请厂家给出足够的说明。
    [2]没有使用缓解技术,也请厂家详细说明。

    www.bctest.com
    3.3 固件升级

    B4





    r
    fo
    [1]Update from a remote host
    例子(栗子)
    TC
    BC

    www.bctest.com
    3.4 随机数

    B9




    [1]PRNG(pseudo Random Noise Generation),伪随机噪声生成。


    r
    fo
    TC

    [2]随机数可以有厂家直接提供。
    BC

    www.bctest.com
    3.5 密钥管理

    B11





    r
    fo
    CT
    BC

    [1]增加识别和误用

    www.bctest.com
    3.6 加密算法测试

    B12 FAQ





    r
    fo
    TC
    BC

    [1] must provide support for ISO Format4

    www.bctest.com
    3.7 任意数据加解密

    B13





    r
    fo
    CT
    BC

    www.bctest.com
    3.8 安全策略

    B20

    [1]安全策略1


    [2]安全策略2


    [3]安全策略3



    r
    fo
    CT
    BC

    www.bctest.com
    3.8.1 安全策略1

    B20





    r
    [1]approval class PED/EPP/HSM/UPT/KLD/RAP/SCR/Non-PED
    fo
    TC
    BC

    提交文档

    www.bctest.com
    3.8.2 安全策略2

    B20





    TB20.28 Q75
    TB20.29 Q71

    r
    TB20.30 Q74
    TB20.31 FAQ B1#9
    fo
    TB20.32 FAQ D2#2
    C

    TB20.33 FAQ K4#2


    T
    BC

    www.bctest.com
    3.8.3 安全策略3

    B20
    Q 75 October 2015: PIN Entry Devices that attach to a mobile


    phone, PDA or POS terminal via a sled, sleeve, audio jack, or


    wireless connection are required to support SRED.


    Q 71 December (update) 2016: Can a PTS device be used as a


    beacon (iBeacon or BLE beacon)
    transmitter?

    r
    fo
    Q 74 October 2015: Does the installation, for example in seatbacks,
    of POI PIN acceptance devices in mass transit vehicles such as
    TC

    airplanes and trains require that these devices contain an anti-


    BC

    removal mechanism to protect against unauthorized removal


    and/or unauthorized re-installation?

    www.bctest.com
    3.8.3 安全策略3

    B20

    B1 Q 9 July 2015: Can a memory re-initialization (security) cycle


    last longer than 24 hours?



    D2 Q 2 July 2014: The ICC reader’s slot is required to be in full
    view of the cardholder so that any untoward obstructions or


    suspicious objects at the opening are detectable. The construction

    r
    of the device must be such that the entire slot opening is in full
    fo
    view of the cardholder prior to card insertion. In certain
    Unattended Payment Terminal designs the ICCR slot cannot be
    C
    positioned straight (horizontal) to the cardholder, when could this
    T
    BC

    be acceptable?

    K4 Q2 Q 2 July (update) 2014: Can a POI device approved for


    SRED have a default configuration to not encrypt account data?

    www.bctest.com
    4 开放协议

    接口识别
    安全协议提供认证





    r
    fo
    TC
    BC

    www.bctest.com
    4 .1 接口识别1
    F1
    v5 v4.1b





    r
    fo
    发现了什么?
    C
    v4
    T
    BC

    www.bctest.com
    4.1 接口识别2
    F1





    r
    fo
    usb class如果支持蓝牙,WI-FI irDA,则在op的测试范围
    C
    T
    BC

    www.bctest.com
    4.2 安全协议提供认证
    I4
    V5/v4.1b





    v4

    r
    fo
    CT
    BC

    不可以仅支持单向认证,但可以在支持双向认证的同时,保留支持单向认证。
    www.bctest.com
    优质高效的服务 准确有效地数据
    全面公正的测试 科学合理的结论

    谢谢观看





    r
    北京银联金卡科技有限公司 fo
    C
    地址:北京市丰台区科学城外环西路26号院9号楼
    T
    BC

    电话:010-52266900
    传真:01052266910
    网址:www.bctest.com

    www.bctest.com

    You might also like