Cryptography for Payment Professionals

This document was uploaded by one of our users. The uploader already confirmed that they had the permission to publish it. If you are author/publisher or own the copyright of this documents, please report to us by using this DMCA report form.

Simply click on the Download Book button.

Yes, Book downloads on Ebookily are 100% Free.

Sometimes the book is free on Amazon As well, so go ahead and hit "Search on Amazon"

Although cryptography plays an essential part in most modern solutions, especially in payments, cryptographic algorithms remain a black box for most users of these tools. Just as a sane backend developer does not drill down into low-level disk access details of a server filesystem, payments professionals have enough things to worry about before they ever need to bother themselves with debugging an encrypted value or a message digest. However, at a certain point, an engineer faces the need to identify a problem with a particular algorithm or, perhaps, to create a testing tool that would simulate a counterpart in a protocol that involves encryption.

The world of cryptography has moved on with giant leaps. Available technical standards mention acronyms and link to more standards, some of which are very large while others are not available for free. After finding the standards for the algorithm, the specific mode of operation must also be identified. Most implementations use several cryptographic primitives―for example, key derivation with a block cipher, which produces a secret that is used together with a hash function and a double padding scheme to produce a digital signature of a base64-encoded value. Understanding this requires more sifting through online sources, more reading of platform and library documents, and finally, when some code can be written, there are very few test cases to validate it.

Cryptography for Payment Professionals is intended for technical people, preferably with some background in software engineering, who may need to deal with a cryptographic algorithm in the payments realm. It does not cover the payment technology in-depth, nor does it provide more than a brief overview of some regulations and security standards. Instead, it focuses on the cryptographic aspects of each field it mentions. Highlights include:

    • Major cryptographic algorithms and their principles of their operation.
    • Cryptographic aspects of card-present (e.g., magnetic stripe, EMV) and online (e.g., e-Commerce and 3DS 2.0) transactions.
    • A detailed description of TDES DUKPT and AES DUKPT protocols, as well as an example implementation and test cases for both.

    It is best if the reader understands programming, number and string representations in machine memory, and bit operations. Knowledge of C, Python, or Java may make the examples easier to read but this is not mandatory.

    Code related to the book is available at the author’s GitHub site: https://github.com/ilya-dubinsky/cfpp

    Author(s): Ilya Dubinsky
    Publisher: CRC Press/Auerbach
    Year: 2023

    Language: English
    Pages: 203
    City: Boca Raton

    Cover
    Half Title
    Title Page
    Copyright Page
    Dedication
    Contents
    Preface
    Author Biography
    List of Figures
    1. Building Blocks
    1.1. How to Read This Book
    1.2. Notations and Formats
    1.3. Cryptography
    1.3.1. Complexity and feasibility
    1.3.2. Quantum computing
    1.3.3. Basics terms and definitions
    1.3.4. Symmetric and asymmetric algorithms
    1.4. Symmetric Algorithms
    1.4.1. DES (DEA)
    1.4.2. AES
    1.5. Public Key Cryptography
    1.5.1. RSA
    1.5.2. Diffie-Hellman key exchange (DHE)
    1.5.3. Shamir's Secret Sharing (SSS)
    1.6. Elliptic-Curve Cryptography (ECC)
    1.6.1. Background
    1.6.2. Elliptic curve Diffie-Hellman (ECDH)
    1.6.3. Elliptic curve integrated encryption scheme (ECIES)
    1.7. Hash Functions
    1.8. Combining Algorithms
    1.8.1. Padding and cipher block chaining
    1.8.1.1. Padding
    1.8.1.2. Optimal asymmetric encryption padding (OAEP)
    1.8.1.3. Electronic code book (ECB) and cipher block chaining (CBC)
    1.8.2. Combined ciphers
    1.9. Message Authentication Codes
    1.9.1. CMAC
    1.9.2. HMAC
    1.9.3. DSS (DSA)
    1.9.4. ECDSA
    1.9.5. Authenticated encryption
    1.9.6. Galois/Counter mode
    1.10. Randomness and Key Derivation
    1.10.1. NIST 800-108 key derivation functions
    1.10.2. ConcatKDF key derivation function
    1.11. Key Trust and Key Certificates
    2. Understanding Payments
    2.1. Introduction
    2.2. Payment Methods
    2.2.1. Card payments
    2.2.2. Bank transfers
    2.2.3. Digital wallets
    2.2.4. Cryptocurrencies
    2.2.4.1. Blockchain
    2.2.4.2. Payment over blockchain
    2.3. Security of Card Payments
    2.3.1. Card authentication
    2.3.2. Cardholder verification
    2.3.3. Data security
    3. Securing the Plastic: Magnetic Stripe and EMV
    3.1. Overview
    3.2. Definitions and Legacy Mechanisms
    3.2.1. CVV/CVC calculation and CVKs
    3.2.2. PVV, PVKs, and PVKI
    3.3. EMV Transaction Flow
    3.4. Card Authentication
    3.4.1. Static data authentication
    3.4.1.1. Key data format
    3.4.1.2. Key recovery
    3.4.1.3. Authenticating the static data
    3.4.2. Dynamic data authentication
    3.4.2.1. ICC key recovery
    3.4.2.2. Dynamic signature generation
    3.4.2.3. Combined data authentication
    3.4.3. Cardholder verification
    3.4.3.1. PIN block format 2 and offline plaintext validation
    3.4.3.2. Encrypted offline PIN
    3.4.3.3. Online PIN
    3.4.3.4. PIN block formats 0, 1, 3, and 4
    3.4.3.5. Key management methods
    3.4.4. Application cryptograms and issuer authentication
    3.4.4.1. Master key derivation
    3.4.4.2. Session key derivation
    3.4.4.3. Generation of the cryptogram
    3.4.4.4. Issuer authentication
    4. Securing the Network
    4.1. Transport Layer Security (TLS)
    4.1.1. Extensions
    4.1.2. Key exchange
    4.1.3. Server parameters
    4.1.4. Authentication
    4.1.5. Implementation considerations
    4.2. JSON Object Signing and Encryption (JOSE)
    4.2.1. JSON web algorithms (JWA)
    4.2.2. JSON web key (JWK)
    4.2.3. JSON web signature (JWS)
    4.2.4. JSON web encryption (JWE)
    4.3. 3D Secure and EMV 3-D Secure
    4.3.1. Introduction
    4.3.2. Overview
    4.3.3. Key entities and protocol security
    4.3.4. TLS requirements
    4.3.5. Application-level security
    5. Protecting the PIN
    5.1. Introduction
    5.2. Zoning
    5.2.1. PIN translation
    5.2.2. Key exchange and management
    5.3. Key Encryption and Representation
    5.3.1. X9.17 and variant formats
    5.3.2. Key block
    5.3.2.1. Key block header
    5.3.2.2. Encryption and authentication (Binding)
    5.3.2.3. Key block encryption key and key block MAC key generation
    5.4. Derived Unique Key Per Transaction (DUKPT)
    5.4.1. Design considerations
    5.4.2. Key serial number (KSN)
    5.4.3. Initial key derivation
    5.4.4. Intermediate key derivation
    5.4.4.1. TDES DUKPT intermediate key derivation
    5.4.4.2. AES DUKPT intermediate key derivation
    5.4.4.3. Acquiring host intermediate key derivation
    5.4.4.4. Terminal intermediate key derivation
    5.4.5. Working key derivation
    6. Regulation and Compliance
    6.1. Payment Services Directive 2 (PSD2)
    6.2. PCI SSC
    6.2.1. PCI PIN standard
    6.2.2. PCI PIN Transaction Security Standard (PTS), SPoC, and CPoC
    6.3. PCI Point-to-Point Encryption (P2PE)
    6.4. PCI DSS, PCI PA DSS, and PCI 3DS
    6.4.1. PCI Data Security Standard (PCI DSS)
    6.4.2. PCI Payment Application Data Security Standard (PCI PA DSS)
    6.4.3. PCI 3DS
    A. Bits and Digits
    A.1. On XOR and One-Time Pad
    A.2. Parity Bits
    A.3. Rightmost Bit (LSB)
    A.4. Leftmost Bit (MSB)
    A.5. Bit Cardinality
    A.6. Luhn's Algorithm
    A.7. Decimalization
    A.8. Base64 Encoding
    B. Cryptographic Examples
    B.1. Some Cryptographic Libraries
    B.1.1. OpenSSL library
    B.1.1.1. Input/Output
    B.1.1.2. Memory management and error handling
    B.1.1.3. OpenSSL 3.0 and EVP
    B.1.2. Shamir's secret sharing scheme
    B.2. RSA
    B.3. Diffie-Hellman Key Exchange
    B.4. Shamir's Secret Sharing
    B.5. DES and Triple DES
    B.6. AES
    B.7. OAEP
    B.8. DSS (DSA)
    B.9. HMAC and CMAC
    B.10. TLS Client
    B.11. TLS Certificate Examples
    C. EMV Examples
    C.1. Issuer Certificate Generation and Public Key Recovery
    C.2. Static Data Authentication and AFL
    C.3. ICC Certificate Generation and Public Key Recovery
    C.4. Dynamic Signature Generation
    C.5. ICC Master Key Derivation
    C.5.1. Option A
    C.5.2. Option B
    C.5.3. Option C
    C.6. ICC Session Key Derivation
    C.7. ARQC Generation
    C.8. ARPC Generation
    D. PIN Examples
    D.1. PIN Block Formats
    D.2. Variant Key Encryption
    D.3. Key Block Key Derivation
    D.4. TDES DUKPT
    D.4.1. Initial key derivation
    D.4.2. Intermediate key derivation
    D.4.3. Working key derivation
    D.5. AES DUKPT
    D.5.1. Initial key derivation
    D.5.2. Intermediate key derivation
    D.5.3. Working key derivation
    E. JOSE Examples
    E.1. JWE Example
    F. Standard Bodies
    F.1. National Institution of Standards and Technology (NIST)
    F.2. American National Standards Institute (ANSI)
    F.3. International Organization for Standardization (ISO)
    F.4. Internet Engineering Task Force (IETF)
    F.5. International Telecommunication Union (ITU)
    F.6. EMVCo
    F.7. Payment Card Industry Security Standards Council (PCI SSC)
    References
    Index