Раздел Control Objective 4 PCI PIN v3.1 - Контроль соответствия

Control Objective 4: Key-loading to HSMs and POI PIN-acceptance devices is handled in a secure manner

Requirement 12: Secret and private keys must be input into hardware (host) security modules (HSMs) and POI PIN-acceptance devices in a secure manner.
a) Unencrypted secret or private keys must be entered using the principles of dual control and split knowledge.
b) Key-establishment techniques using public-key cryptography must be implemented securely.

PIN Security Requirements:
12-1 The loading of secret or private keys, when from the individual key components or shares, must be performed using the principles of dual control and split knowledge.
Note: Manual key loading may involve the use of media such as paper, smart cards, or other physical tokens.
Testing Procedures:
12-1.a Using the summary of cryptographic keys, identify keys that are loaded from components and examine documented process to load each key type (MFK, TMK, PEK, etc.) from components to ensure dual control and split knowledge are required.
12-1.b Interview appropriate personnel to determine the number of key components for each manually loaded key.
12-1.c Witness a structured walk-through/demonstration of various key-loading processes for all key types (MFKs, AWKs, TMKs, PEKs, etc. Verify the number and length of the key components against information provided through verbal discussion and written documentation.
12-1.d Verify that the process includes the entry of individual key components by the designated key custodians.
12-1.e Ensure key-loading devices can only be accessed and used under dual control.
12-1.f Examine locations where keys may have been recorded that don't meet this requirement. As applicable, perform the following:

Test a random sample population of ATMs to ensure key or component values are not affixed inside
Examine HSM startup documentation (including Disaster Recovery or Business Continuity Planning documentation) and procedure manuals to ensure that there are no key or component values recorded.

PIN Security Requirements:
12-2 Procedures must be established that will prohibit any one person from having access to components sufficient to form an encryption key when components are removed from and returned to storage for key loading.
Testing Procedures:
12-2. Examine logs of access to security containers for key components/shares to verify that only the authorized custodian(s) have accessed. Compare the number on the current tamper-evident and authenticable package for each component to the last log entry for that component.
Trace historical movement of higher-order keys (MFK, KEK, and BDK) in and out of secure storage to ensure there is no break in the package-number chain that would call into question authorized handling and sufficient storage of the component or share. This must address at a minimum the time frame from the date of the prior audit

PIN Security Requirements:
12-3 The loading of clear-text cryptographic keys using a key-loading device requires dual control to authorize any key-loading session. It shall not be possible for a single person to use the key-loading device to load clear keys alone. Dual control must be implemented using one or more of, but not limited to, the following techniques:

Two or more passwords/authentication codes of five characters or more (vendor default values must be changed)
Multiple cryptographic tokens (such as smartcards), or physical keys
Physical access controls
Separate key-loading devices for each component/share

Note: For devices that do not support two or more passwords/authentication codes, this may be achieved by splitting the single password used by the device into two halves, each half controlled by a separate authorized custodian. Each half must be a minimum of five characters.
Note: Passwords/authentication codes to the same object may be assigned to a custodian group team⎯e.g., custodian team for component A.
Note: The addition of applications that replace or disable the PCI-evaluated firmware functionality invalidates the device approval for each such implementation unless those applications are validated for compliance to PTS POI Security Requirements and listed as such in the approval listings. If modified PEDs are not validated and approved to the KLD approval class, they must be managed in accordance with Annex B Requirement 13-9.
Testing Procedures:
12-3.a Identify instances where a key-loading device is used to load clear-text keys. Examine documented procedures for loading of clear-text cryptographic keys, to verify:

Procedures require dual control to authorize any key-loading session.
The techniques to be used to achieve dual control are identified.
There is a requirement to change any default passwords/authentication codes and set passwords/authentication codes that have at least five characters.
There is a requirement that if passwords/authentication codes or tokens are used, they be maintained separately.

12-3.b For each type of production SCDs loaded using a key-loading device, observe the process (e.g., a demonstration) of loading clear-text cryptographic keys and interview personnel. Verify that:

Dual control is necessary to authorize the key-loading session.
Expected techniques are used.
Default passwords/authentication codes are reset.
Any passwords/authentication codes used are a minimum of five characters.
Any passwords/authentication codes or tokens are maintained separately.

12-3.c Examine documented records of key-loading to verify the presence of two authorized persons during each type of key-loading activity.
12-3.d Ensure that any default dual-control mechanisms (e.g., default passwords/authentication codes—usually printed in the vendor's manual—in a key-loading device) have been disabled or changed.

PIN Security Requirements:
12-4 Key components for symmetric keys must be combined using a process such that no active bit of the key can be determined without knowledge of the remaining components⎯for example, via XOR‘ing of full-length components.
The resulting key must only exist within the SCD.
Note: Concatenation of key components together to form the key is unacceptable; e.g., concatenating two 8-hexadecimal character halves to form a 16-hexadecimal secret key.
Testing Procedures:
12-4.a Examine documented procedures for combining symmetric-key components and observe processes to verify that key components are combined using a process such that no active bit of the key can be determined without knowledge of the remaining components⎯e.g., only within an SCD.
12-4.b Confirm key-component lengths through interview and examination of blank component forms and documented procedures. Examine device configuration settings and interview personnel to verify that key components used to create a key are the same length as the resultant key.

PIN Security Requirements:
12-5 Hardware security module (HSM) Master File Keys, including those generated internal to the HSM and never exported, must be at least double-length keys and use the TDEA (including parity bits) or AES using a key size of at least 128 bits.
Testing Procedures:
12-5 Examine vendor documentation describing options for how the HSM MFK is created and verify the current MFK was created using AES or double- or triple-length TDEA. Corroborate this via observation of processes, with information gathered during the interview process, and procedural documentation provided by the entity under review.

PIN Security Requirements:
12-6 Any other SCD loaded with the same key components must combine all entered key components using the identical process.
Testing Procedures:
12-6 Through examination of documented procedures, interviews, and observation, confirm that any devices that are loaded with the same key components use the same mathematical process to derive the final key.

PIN Security Requirements:
12-7 The initial terminal master key (TMK) or initial DUKPT key must be loaded to the device using either asymmetric key-loading techniques or manual techniques—e.g., the device keypad, IC cards, key-loading device, etc. Subsequent loading of the terminal master key or an initial DUKPT key may use techniques described in this document such as:

Asymmetric techniques
Manual techniques
The existing TMK to encrypt the replacement TMK for download
For AES DUKPT, using the option to derive a key-encryption key called the DUKPT Update Key so that the host can send a device a new initial key encrypted under that key. Note this also requires that a new initial key ID is also sent

Keys shall not be reloaded by any methodology in the event of a compromised device and must be withdrawn from use.
Testing Procedures:
12-7.a Examine documented procedures for the loading of TMKs and initial DUKPT keys to verify that they require asymmetric key-loading techniques or manual techniques for initial loading and allowed methods for replacement TMK or initial DUKPT key loading.
12-7.b Examine documented procedures to verify that keys are withdrawn from use if they were loaded to a device that has been compromised or gone missing.

PIN Security Requirements:
12-8 If key-establishment protocols using public-key cryptography are used to distribute secret keys, these must meet the requirements detailed in Annex A of this document. For example:
A public-key technique for the distribution of symmetric secret keys must:

Use public and private key lengths that are in accordance with Annex C for the algorithm in question (e.g., 1024-bits minimum for RSA).
Use key-generation techniques that meet the current ANSI and ISO standards for the algorithm in question.
Provide for mutual device authentication for both the host and the POI device or host-to-host if applicable, including assurance to the host that the POI device has (or can compute) the session key, and that no entity other than the POI device specifically identified can possibly compute the session key.

Testing Procedures:
12-8.a For techniques involving public-key cryptography, examine documentation to illustrate the process, including the size and sources of the parameters involved, and the mechanisms utilized for mutual device authentication for both the host and the POI.
12-8.b If key-establishment protocols using public-key cryptography are used to distribute secret keys, verify that the remote key requirements detailed in Annex A of this document are met, including:

Use of public and private key lengths that are in accordance with Annex C for the algorithm in question (e.g., 1024-bits minimum for RSA).
Use of key-generation techniques that meet the current ANSI and ISO standards for the algorithm in question.
Providing for mutual device authentication for both the host and the POI device or host-to-host if applicable.

Requirement 13: The mechanisms used to load secret and private keys—such as terminals, external PIN pads, key guns, or similar devices and methods—must be protected to prevent any type of monitoring that could result in the unauthorized disclosure of any component.

PIN Security Requirements:
13-1 Clear-text secret and private keys and key components must be transferred into an SCD only when it can be ensured that:

Any cameras present in the environment must be positioned to ensure they cannot monitor the entering of clear-text key components.
There is not any mechanism at the interface between the conveyance medium and the SCD that might disclose the transferred keys.
The sending and receiving SCDs must be inspected prior to key loading to ensure that they have not been subject to any prior tampering or unauthorized modification that could lead to the disclosure of clear-text keying material.
SCDs must be inspected to detect evidence of monitoring and to ensure dual control procedures are not circumvented during key loading.
An SCD must transfer a plaintext secret or private key only when at least two authorized individuals are uniquely identified by the device.

Testing Procedures:
13-1 Observe key-loading environments, processes, and mechanisms (for example, terminals, PIN pads, key guns, etc.) used to transfer keys and key components. Perform the following:

Ensure that any cameras present are positioned to ensure they cannot monitor the entering of clear-text key components
Examine documented procedures to determine that they require that keys and components are transferred into an SCD only after an inspection of the devices and mechanism; and verify they are followed by observing a demonstration that:
- SCDs must be inspected to detect evidence of monitoring and to ensure dual-control procedures are not circumvented during key loading.
- An SCD must transfer a plaintext secret or private key only when at least two authorized individuals are identified by the device.
- There is not any mechanism (including cabling) at the interface between the conveyance medium and the SCD device that might disclose the transferred keys.
- The SCD is inspected to ensure it has not been subject to any prior tampering or unauthorized modification, which could lead to the disclosure of clear-text keying material.

PIN Security Requirements:
13-2 Only SCDs shall be used in the loading of clear-text secret or private keys or their components outside of a secure key-loading facility, as delineated in the requirements contained in Annex B. For example, ATM controller (computer) keyboards or those attached to an HSM shall never be used for the loading of clear-text secret or private keys or their components.
Note: The addition of applications that replace or disable the PCI-evaluated firmware functionality invalidates the device approval for each such implementation unless those applications are validated for compliance to PTS POI Security Requirements and listed as such in the approval listings. If modified PEDs are not validated and approved to the KLD approval class, they must be managed in accordance with Annex B Requirement 13-9.
Testing Procedures:
13-2.a Examine documentation to verify that only SCDs are used in the loading of clear-text secret or private keys or their components outside of a secure key-loading facility, as delineated in this requirement. For example, ATM keyboards or keyboards attached to an HSM shall never be used for the loading of clear-text secret or private keys or their components.
13-2.b Observe a demonstration of key-loading to verify that only SCDs are used in the loading of clear-text secret or private keys or their components outside of a secure key-loading facility.

PIN Security Requirements:
13-3 The loading of plaintext secret or private key components or shares from an electronic medium—e.g., smart card, thumb drive, fob, or other device used for data transport—directly into a cryptographic device (and verification of the correct receipt of the component, if applicable) results in either of the following:

The electronic media are placed into secure storage and managed under dual control (only if there is a possibility they will be required for future reloading of the component into the cryptographic device); or

All traces of the component are erased or otherwise destroyed from the electronic media in accordance with Requirement 24.

Testing Procedures:

13-3.a Examine documented procedures for the loading of secret or private key components from an electronic medium to a cryptographic device. Verify that procedures define specific instructions to be followed as a result of key loading, including:

Instructions for the medium to be placed into secure storage and managed under dual control (only if there is a possibility it will be required for future reloading of the component into the cryptographic device); or
Instructions to erase or otherwise destroy all traces of the component from the electronic medium, including the method to use.

13-3.b Observe key-loading processes to verify that the loading process results in one of the following:

The medium used for key loading is placed into secure storage and managed under dual control (only if there is a possibility it will be required for future reloading of the component into the cryptographic device); or
All traces of the component are erased or otherwise destroyed from the electronic medium.

13-3.c Examine records/logs of erasures to confirm that:

The documented procedure was followed.
The method used was in accordance with Requirement 24.

PIN Security Requirements:
13-4 For secret or private keys transferred from the cryptographic hardware that generated the key to an electronic key-loading device:
Testing Procedures:
13-4 Examine documented procedures and observe processes for the use of key-loading devices. Perform the following:

PIN Security Requirements:
13-4.1 The key-loading device must be a physically secure SCD, designed and implemented in such a way that any unauthorized disclosure of the key is prevented or detected.
Note: A PCI-approved KLD meets this requirement for a SCD.
Testing Procedures:
13-4.1 Verify the key-loading device is a physically secure SCD, designed and implemented in such a way that any unauthorized disclosure of the key is prevented or detected.

PIN Security Requirements:
13-4.2 The key-loading device must be under the supervision of a person authorized by management or stored in a secure container such that no unauthorized person can have access to it.
Testing Procedures:
13-4.2 Verify the key-loading device is under the supervision of a person authorized by management or stored in a secure container such that no unauthorized person can have access to it.

PIN Security Requirements:
13-4.3 The key-loading device must be designed or controlled so that only authorized personnel under dual control can use and enable it to output a key into another SCD. Such personnel must ensure that a key-recording device is not inserted between the SCDs.
Testing Procedures:
13-4.3.a Verify the key-loading device is designed or controlled so that only authorized personnel under dual control can use and enable it to output a key into another SCD.
13-4.3.b Verify that both authorized personnel involved in key-loading activity inspect the key-loading device prior to use to ensure that a key-recording device has not been inserted between the SCDs.

PIN Security Requirements:
13-4.4 The key-loading device must not retain any information that might disclose the key (e.g., allow replay of the key for injection into a non-SCD) that was installed in the device or a key that it has successfully transferred.
Testing Procedures:
13-4.4 Verify the key-loading device does not retain any information that might disclose the key or a key that it has successfully transferred. For example, attempt to output the same value more than one time from the device or cause the device to display check values for its contents both before and after injection and compare.

PIN Security Requirements:
13-5 Any media (electronic or otherwise) containing secret or private key components or shares used for loading cryptographic keys must be maintained in a secure storage location and accessible only to authorized custodian(s). When removed from the secure storage location, media or devices containing key components or used for the injection of clear-text cryptographic keys must be in the physical possession of only the designated component holder(s), and only for the minimum practical time necessary to complete the key-loading process.
The media upon which a component resides must be physically safeguarded at all times when removed from secure storage. Key components that can be read (for example, those printed on paper or stored on magnetic cards, PROMs, or smartcards) must be managed so they are never used in a manner that would result in the component being displayed in clear text to anyone who is not a designated custodian for that component.
Testing Procedures:
13-5.a Interview personnel and observe media locations to verify that the media is maintained in a secure storage location accessible only to custodian(s) authorized to access the key components.
13-5.b Examine documented procedures for removing media or devices containing key components—or that are otherwise used for the injection of cryptographic keys—from the secure storage location. Verify procedures include the following:

Requirement that media/devices be in the physical possession of only the designated component holder(s).
The media/devices are removed from secure storage only for the minimum practical time necessary to complete the key-loading process

13-5.c Interview designated component holder(s) and examine key-management logs to verify that media or devices removed from secure storage are in the physical possession of only the designated component holder(s).
13-5.d Interview key-injection personnel and examine logs for the removal of media/devices from secure storage to verify they are removed only for the minimum practical time necessary to complete the key-loading process.

PIN Security Requirements:
13-6 If the component is in human-readable form (e.g., printed within a PIN-mailer type document), it must be visible only to the designated component custodian and only for the duration of time required for this person to privately enter the key component into an SCD.
Testing Procedures:
13-6 Validate through interview and observation that printed key components are not opened until just prior to entry into the SCD. Plaintext secret and/or private keys and/or their components are visible only to key custodians for the duration of loading into an SCD.

PIN Security Requirements:
13-7 Written or printed key-component documents must not be opened until immediately prior to use.
Testing Procedures:
13-7.a Examine documented procedures and confirm that printed/written key-component documents are not opened until immediately prior to use.
13-7.b Observe key-loading processes and verify that printed/written key components are not opened until immediately prior to use.

PIN Security Requirements:
13-8 A person with access to any component or share of a secret or private key, or to the media conveying this value, must not have access to other components or shares of this key or to any other medium containing other components or shares of this key that are sufficient to form the necessary threshold to derive the key.
E.g., in an m-of-n scheme (which must use a recognized secret-sharing scheme such as Shamir), such that any three key components or shares (i.e., m = 3) can be used to derive the key, no single individual can have access to more than two components/shares.
Testing Procedures:
13-8.a Examine documented procedures for the use of key components to verify that procedures ensure that any individual custodian only has access to their assigned components and never has access to sufficient key components to reconstruct a cryptographic key.
13-8.b Examine key-component access controls and access logs to verify that any single authorized custodian can and has only had access to their assigned component(s) and cannot access sufficient key components to reconstruct a cryptographic key

Requirement 14: All hardware and access/authentication mechanisms (e.g., passwords/authentication codes) used for key loading must be managed under the principle of dual control.

PIN Security Requirements:
14-1 Any hardware and passwords/authentication codes used in the key-loading function must be controlled and maintained in a secure environment under dual control. Resources (e.g., passwords/authentication codes and associated hardware) must be managed such that no single individual has the capability to enable key loading of clear-text keys or their components. This is not to imply that individual access authentication mechanisms must be managed under dual control.
Note: Where key-loading is performed for POIs, the secure environment is defined in Annex B.
Testing Procedures:
14-1.a Examine documented procedures to verify they require the following:

Any hardware used in the key-loading function must be controlled and maintained in a secure environment under dual control.
Any resources (e.g., passwords/authentication codes and associated hardware) used in the key-loading function must be controlled and managed such that no single individual has the capability to enable key loading of clear-text keys or their components.

14-1.b Observe key-loading environments and controls to verify the following:

All hardware used in the key-loading function is controlled and maintained in a secure environment under dual control.
All resources (e.g., passwords/authentication codes and associated hardware) used for key-loading functions are controlled and managed such that no single individual has the capability to enable key loading.

PIN Security Requirements:
14-2 All cable attachments over which clear-text keying material traverses must be examined at the beginning of an entity's key-activity operations (system power on/authorization) to ensure they have not been tampered with or compromised.
Testing Procedures:
14-2.a Examine documented procedures to ensure they require that cable attachments are examined at the beginning of an entity's key-activity operations (system power on/authorization).
14-2.b Observe key-loading processes to verify that all cable attachments are properly examined at the beginning of an entity's key-activity operations (system power on/authorization).

PIN Security Requirements:
14-3 Key-loading equipment usage must be monitored, and a log of all key-loading activities maintained for audit purposes shall contain, at a minimum, date, time, personnel involved, and number of devices keys are loaded to.
Testing Procedures:
14-3.a Observe key-loading activities to verify that key-loading equipment usage is monitored.
14-3.b Verify logs of all key-loading activities are maintained and contain all required information.

PIN Security Requirements:
14-4 Any physical tokens (e.g., brass keys or chip cards) used to enable key-loading must not be in the control or possession of any one individual who could use those tokens to load secret or private cryptographic keys under single control. These tokens must be secured in a manner similar to key components, including tamper-evident, authenticable packaging and the use of access-control logs for when removed or placed into secure storage.
Testing Procedures:
14-4.a Examine documented procedures for the use of physical tokens (e.g., brass keys or chip cards) to enable key loading. Verify procedures require that physical tokens must not be in the control or possession of any one individual who could use those tokens to load secret or private cryptographic keys under single control.
14-4.b Inspect locations and controls for physical tokens to verify that tokens used to enable key loading are not in the control or possession of any one individual who could use those tokens to load secret or private cryptographic keys under single control.
14-4.c Examine storage locations for physical tokens to determine adequacy to ensure that only the authorized custodian(s) can access their specific tokens.
14-4.d Verify that access-control logs exist and are in use including notation of tamper-evident, authenticable bag numbers.
14-4.e Reconcile storage contents to access-control logs.

PIN Security Requirements:
14-5 Default passwords/authentication codes used to enforce dual control must be changed, and documented procedures must exist to require that these password/PINs be changed when assigned personnel change.
Testing Procedures:
14-5.a Verify that documented procedures require default passwords/authentication codes used to enforce dual control are changed.
14-5.b Verify that documented procedures exist to require that these passwords/authentication codes be changed when assigned personnel change.

Requirement 15: The loading of keys or key components must incorporate a validation mechanism such that the authenticity of the keys is ensured, and it can be ascertained that they have not been tampered with, substituted, or compromised.

PIN Security Requirements:
15-1 A cryptographic-based validation mechanism must be in place to ensure the authenticity and integrity of keys and/or their components (for example, testing key check values, hashes, or other similar unique values that are based upon the keys or key components being loaded). See ISO 11568. Where check values are used, recorded, or displayed, key-component check values and key check values shall be generated by a cryptographic process such that all portions of the key or key component are involved in generating the check value. The check value shall be in accordance with the following note.
Note: Check values may be computed by two methods. TDEA may use either method. AES must only use the CMAC method. In the first method, check values are computed by encrypting an all binary zeros block using the key or component as the encryption key, using the leftmost n-bits of the result; where n is at most 24 bits (6 hexadecimal digits/3 bytes). In the second method the KCV is calculated by MACing an all binary zeros block using the CMAC algorithm as specified in ISO 9797-1 (see also NIST SP 800-38B). The check value will be the leftmost n-bits of the result, where n is at most 40 bits (10 hexadecimal digits). The block cipher used in the CMAC function is the same as the block cipher of the key itself. A TDEA key or a component of a TDEA key will be MACed using the TDEA block cipher, while a 128-bit AES key or component will be MACed using the AES-128 block cipher.
Testing Procedures:
15-1.a Examine documented procedures to verify a cryptographic-based validation mechanism is in place to ensure the authenticity and integrity of keys and/or components.
15-1.b Observe the key-loading processes to verify that the defined cryptographic-based validation mechanism used to ensure the authenticity and integrity of keys and components is being used and are verified by the applicable key custodians.
15-1.c Verify that the methods used for key validation are consistent with ISO 11568—for example, if check values are used, they are in accordance with this requirement.

PIN Security Requirements:
15-2 The public key must have its authenticity and integrity ensured. In order to ensure authenticity and integrity, a public key must be encrypted in accordance with Annex C, or if in plaintext form, must:

Be within a certificate as defined in Annex A; or
Be within a PKCS#10 (authentication and integrity occurs via other mechanisms); or
Be within an SCD; or
Have a MAC (message authentication code) created using the algorithm defined in ISO 16609.

Testing Procedures:

15-2.a Interview personnel and review documented procedures to verify that all public keys exist only in an approved form.
15-2.b Observe public-key stores and mechanisms to verify that public keys exist only in an approved form.

Requirement 16: Documented procedures must exist and be demonstrably in use (including audit trails) for all key-loading activities.

PIN Security Requirements:
16-1 Documented key-loading procedures must exist for all devices (e.g., HSMs and POIs), and all parties involved in cryptographic key loading must be aware of those procedures.
Testing Procedures:
16-1.a Verify documented procedures exist for all key-loading operations.
16-1.b Interview responsible personnel to verify that the documented procedures are known and understood by all affected parties for all key-loading operations.
16-1.c Observe key-loading process for keys loaded as components and verify that the documented procedures are demonstrably in use. This may be done as necessary on test equipment—e.g., for HSMs.

PIN Security Requirements:
16-2 All key-loading events must be documented. Audit trails must be in place for all key-loading events.
Testing Procedures:
16-2 Examine log files and observe logging processes to verify that audit trails are in place for all key-loading events.

PCI PIN Security v3.1

Framework

Control Objective 4

Список требований