Соответствие требованиям

Куда я попал?

SECURITM это SGRC система, автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Подробнее

Наш канал

Payment Card Industry 3-D Secure (PCI 3DS)

Стандарт

Security Objective 3.2

Для проведения оценки соответствия по документу войдите в систему.

Список требований

3DS SDK Security Requirements and Assessment Procedures
Security Objective 3: Use Cryptography Appropriately and Correctly
The proper implementation of cryptographic algorithms and appropriate key-management techniques is critical to ensuring the integrity and confidentiality of the 3DS SDK and the information it handles. If cryptographic algorithms and key-management techniques are not implemented properly or appropriately, the value they provide from a security perspective is significantly reduced⎯if not eliminated altogether. Only industry-recognized algorithms and key-management techniques must be used. Proprietary algorithms are not allowed.
Requirement 3: The 3DS SDK only utilizes strong cryptography and ensures that cryptographic methods are properly and appropriately implemented.
Requirements:
3.2 Random Number Generator(s)
All random numbers used by the 3DS SDK are generated using only approved random number generation (RNG) algorithms or libraries. Approved RNG algorithms or libraries are those meeting industry standards for sufficient unpredictability (e.g., NIST Special Publication 800-22).
Note: Proof that RNG algorithms or libraries meet industry standards may include recognition by industry bodies, or evidence to show where those RNG algorithms or libraries were assessed to ensure that the random numbers generated are sufficiently unpredictable.
Assessment Procedures:
T.3.2.1 The tester shall examine vendor materials and other evidence, including source code, to determine the implementation of all random number generation functions used in the 3DS SDK implementation.
T.3.2.2 The tester shall examine vendor materials and other evidence, including source code, to determine all functions of the 3DS SDK that rely upon the on-device generation of random numbers. This should include uses such as random values required in secure communications channels (such as TLS).
T.3.2.3 The tester shall confirm that the 3DS SDK does not rely solely on any on-device random number generators and always uses an RNG provided by or within the 3DS SDK for the purposes of generating random values that are relied upon for the secure functionality of the 3DS SDK. The tester shall reference the random values required by the 3DS SDK listed in T.3.2.2. Where any values are generated without the use of the 3DS SDK RNG, the tester shall confirm the use of the RNG is prevented by the platform targeted by the 3DS SDK, and that the use of the on-platform RNG does not violate the security of the 3DS operations.
T.3.2.4 The tester shall confirm that values provided by the RNG are sufficiently random in accordance with Requirement 3.3, “Random Number Entropy.”
T.3.2.5 The tester shall examine vendor materials and other evidence to determine any requirements for the developer integrating the 3DS SDK to ensure that the random numbers are sufficiently random. The tester shall confirm that there is clear and sufficient guidance outlining these requirements made available to stakeholders in accordance with Requirement 5.1, “Availability of Stakeholder Guidance.”
Guidance:
Random numbers are used in numerous software applications, including cryptography, to protect sensitive information. Encryption keys, initialization values (seeds), and 3DS SDK transaction IDs are examples of random numbers used in the 3DS SDK. It is not a trivial endeavor to design and implement a secure random number generator. 3DS SDK Vendors are required to use only approved random number generation algorithms and libraries, or provide evidence to illustrate how the random number generation algorithms and libraries were tested to confirm that random numbers generated are sufficiently unpredictable. The implementation may rely on either a validated cryptographic library or module (for example, Validated FIPS 140-2 Cryptographic Modules). The Vendor should have a good understanding of the installation, initialization, configuration and usage⎯for example, initial seeding of the random function⎯of the RNG mechanisms to ensure that the implementation can meet the effective security strength required for the intended use. The calls to these libraries should also be protected from being hooked.

Название	Severity	IP	Integral
1111111 111 11 1111 11111111111111111 1111111 1 11111111111111111	-	1	-
11 111111111 111 1111111111111111111111111 1111 1 11111 1111111	-	1	-

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.