Куда я попал?
PCI PIN Security v3.1
Framework
Requirement 10
Для проведения оценки соответствия по документу войдите в систему.
Список требований
-
PIN Security Requirements:
10-1 All key-encryption keys used to encrypt for transmittal or conveyance of other cryptographic keys must be at least as strong as the key being sent, as delineated in Annex C, except as noted below for RSA keys used for key transport.- TDEA keys used for encrypting keys must be at least double-length keys (have bit strength of 80 bits) and use the TDEA in an encrypt, decrypt, encrypt mode of operation for key-encipherment.
- A double- or triple-length TDEA key must not be encrypted with a TDEA key of lesser strength.
- TDEA keys shall not be used to protect AES keys.
- TDEA keys shall not be used to encrypt keys greater in strength than 112 bits.
- RSA keys used to transmit or convey other keys must have bit strength of at least 80 bits.
- RSA keys encrypting keys greater in strength than 80 bits shall have bit strength at least 112 bits.
Note: Entities using POI version 1 and/or version 2 devices may use RSA key sizes of 1024 and/or SHA-1 if the devices do not support RSA key sizes of 2048 or SHA-2. However, in all cases, POI version 3 or higher devices must implement RSA using key sizes of 2048 or higher and SHA-2 when used for key distribution using asymmetric techniques in accordance with Annex A.
Testing Procedures:
10-1.a Examine documented procedures to verify there is a requirement that all keys used to transmit or convey other cryptographic keys must be at least as strong as any key transmitted or conveyed, except as noted for RSA keys.
10-1.b Using the network schematic and the summary listing of cryptographic keys and through interview of personnel, identify keys that protect other keys for transmission. Consider keys manually transferred (e.g., cryptograms sent to an ESO) as well as those that are system-generated and transferred (e.g., KEK or TMK encrypting working keys).
10-1.c Observe key-generation processes for the key types identified above. Verify that all keys used to transmit or convey other cryptographic keys are at least as strong as any key transmitted or conveyed except as noted for RSA keys. To verify this:- Interview appropriate personnel and examine documented procedures for the creation of these keys.
- Using the table in Annex C, validate the minimum respective key sizes for TDEA, RSA, Elliptic Curve, DSA, and Diffie Hellman algorithms where used for key encryption.
- Verify that:
- TDEA keys used for encrypting keys must be at least double-length keys (have bit strength of 80 bits) and use the TDEA in an encrypt, decrypt, encrypt mode of operation for key-encipherment.
- A double- or triple-length TDEA key must not be encrypted with a TDEA key of lesser strength.
- TDEA keys are not used to protect AES keys.
- TDEA keys shall not be used to encrypt keys greater in strength than 112 bits.
- RSA keys used to transmit or convey other keys have bit strength of at least 80 bits.
- RSA keys encrypting keys greater in strength than 80 bits have bit strength at least 112 bits.
- Any POI device that is version 3 or higher is using RSA with a key size of at least 2048 and SHA-2, where applicable. Use as necessary the device information used in Requirement 1.
10-1.d Examine system documentation and configuration files to validate the above, including HSM settings.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.