PDF Price
$350.00
ADD TO CART
Financial industry software standards are published by X9, ISO, ANSI, and ASC. They include the X9 encryption collection package and covers Symmetric ciphers, their key management and life cycle, Concepts, requirements and evaluation methods, Security compliance checklists for devices used in financial transactions, Recommendations on cryptographic algorithms and their use, The Digital Signature Algorithm (DSA), The Secure Hash Algorithm (SHA-1), Using Factoring-Based Public Key Cryptography Unilateral Key Transport, Agreement of Symmetric Keys Using Discrete Logarithm Cryptography, The Elliptic Curve Digital Signature Algorithm (ECDSA), Key Agreement and Key Transport Using Elliptic Curve Cryptography, Elliptic Curve Pintsov-Vanstone Signatures (ECPVS), Wrapping of Keys and Associated Data, and Requirements for Protection of Sensitive Payment Card Data.
The X9 Encryption Collection includes guidelines for secure management, numerous techniques for generating primes needed by public key cryptographic algorithms, and guidelines for the encryption of PINs used for retail financial services. It also provides methods for digital signature generation and verification and covers the manual and automated management of keying material used for financial services.
This document describes the management of symmetric and asymmetric cryptographic keys that can be used to protect sensitive information in financial services related to retail payments. The document covers all aspects of retail financial services, including connections between a card-accepting device and an Acquirer, between an Acquirer and a card Issuer, and between an ICC and a card-accepting device. It covers all phases of the key life cycle, including the generation, distribution, utilization, archiving, replacement and destruction of the keying material. This document covers manual and automated management of keying material, and any combination thereof, used for retail financial services. It includes guidance and requirements related to key separation, substitution prevention, identification, synchronization, integrity, confidentiality and compromise, as well as logging and auditing of key management events. Requirements associated with hardware used to manage keys have also been included in this document.
This document specifies the security characteristics for secure cryptographic devices (SCDs) based on the cryptographic processes defined in the ISO 9564 series, ISO 16609 and ISO 11568. This document states the security characteristics concerning both the operational characteristics of SCDs and the management of such devices throughout all stages of their life cycle. This document does not address issues arising from the denial of service of an SCD. This document does not address software services that use multi-party computation (MPC) to achieve some security objectives and, relying on these, offer cryptographic services. NOTE These are sometimes called “soft” or software hardware security modules (HSMs) in common language, which is misleading and does not correspond to the definition of HSM in this document.
This document specifies checklists to be used to evaluate secure cryptographic devices (SCDs) incorporating cryptographic processes as specified in ISO 9564 1 , ISO 9564 2 , ISO 16609 , and ISO 11568 in the financial services environment. Integrated circuit (IC) payment cards are subject to the requirements identified in this document up until the time of issue, after which they are to be regarded as a “personal” device and outside of the scope of this document.
ISO/TR 14742:2010 provides a list of recommended cryptographic algorithms for use within applicable financial services standards prepared by ISO/TC 68. It also provides strategic guidance on key lengths and associated parameters and usage dates. The focus is on algorithms rather than protocols, and protocols are in general not included in ISO/TR 14742:2010. ISO/TR 14742:2010 deals primarily with recommendations regarding algorithms and key lengths. The categories of algorithms covered in ISO/TR 14742:2010 are: block ciphers; stream ciphers; hash functions; message authentication codes (MACs); asymmetric algorithms; digital signature schemes giving message recovery, digital signatures with appendix, asymmetric ciphers; authentication mechanisms; key establishment and agreement mechanisms; key transport mechanisms. ISO/TR 14742:2010 does not define any cryptographic algorithms; however, the standards to which ISO/TR 14742:2010 refers may contain necessary implementation information as well as more detailed guidance regarding choice of security parameters, security analysis, and other implementation considerations.
Defines a method for digital signature generation and verification for the protection of messages and data using the Digital Signature Algorithm (DSA). This standard is used in conjunction with the hash function, as defined in American National Standard for Public Key Cryptography - Part 2: The Secure Hash Algorithm (SHA-1), BSR X9.30.2. In addition, this standard provides the criteria for the generation of public and private keys that are required by the algorithm and the procedural controls required for the secure use of the algorithm. Specific sections include definitions and common abbreviations, application, the DSA, Generation of Primes for the DSA, Random Number Generation for the DSA.
Produces a 160-bit representation of the message, called the message digest, when a message with a bit length less than 2 to 64th power is input. The message digest is used during the generation of a signature for the message. The message digest is computed during the generation of a signature for the message. The SHA-1 is also used to compute a message digest for the received version of the message during the process of verifying the signature. Any change to the message in transit will, with a very high probability, result in a different messages digest, and the signature will fail to verify. The Secure Hash Algorithm (SHA-1) described in this standard is required for use with the Digital Signature Algorithm and may be used whenever a secure hash algorithm is required.
TR-34 describes a method consistent with the requirements of ANS X9.24 - 2 Retail Financial Services Symmetric Key Management - Part 2: Using Asymmetric Techniques for the Distribution of Symmetric Keys for the secure exchange of keys using asymmetric techniques between two devices that share asymmetric keys. This method is designed to operate within the existing capabilities of devices used in the retail financial services industry. Includes Corrigendum.
This standard, partially adapted from ISO 11770-3 (see [13]), specifies schemes for the agreement of symmetric keys using Diffie-Hellman and MQV algorithms. It covers methods of domain parameter generation, domain parameter validation, key pair generation, public key validation, shared secret value calculation, key derivation, and test message authentication code computation for discrete logarithm problem based key agreement schemes. These methods may be used by different parties to establish a piece of common shared secret information such as cryptographic keys. The shared secret information may be used with symmetrically-keyed algorithms to provide confidentiality, authentication, and data integrity services for financial information, or used as a key-encrypting key with other ASC X9 key management protocols. The key agreement schemes given herein do not provide certain desired assurances of security, such as key confirmation and entity authentication. However, these schemes may be used in conjunction with key confirmation and entity authentication mechanisms in key establishment protocols that are specified in other ASC X9 standards. These key agreement schemes may be used as subroutines to build key establishment protocols (see [8]). The key establishment methods specified in ANS X9.63 provide examples of mechanisms for obtaining these additional security properties. Further references for key agreement can be found in [33].
This Standard defines methods for digital signature (signature) generation and verification for the protection of messages and data using the Elliptic Curve Digital Signature Algorithm (ECDSA). ECDSA is the elliptic curve analogue of the Digital Signature Algorithm (ANS X9.30). The ECDSA shall be used in conjunction with an Approved hash function, as specified in X9 Registry Item 00003, Secure Hash Standard (SHS). The hash functions Approved at the time of publication of this document are SHA-1 (see NOTE), SHA-224, SHA-256, SHA-384 and SHA-512. This ECDSA Standard provides methods and criteria for the generation of public and private keys that are required by the ECDSA and the procedural controls required for the secure use of the algorithm with these keys. This ECDSA Standard also provides methods and criteria for the generation of elliptic curve domain parameters that are required by the ECDSA and the procedural controls required for the secure use of the algorithm with these domain parameters.
Defines key establishment schemes that employ asymmetric cryptographic techniques. The arithmetic operations involved in the operation of the schemes take place in the algebraic structure of an elliptic curve over a finite field. Both key agreement and key transport schemes are specified. The schemes may be used by two parties to compute shared keying data that may then be used by symmetric schemes to provide cryptographic services, e.g., data confidentiality and data integrity. Supporting mathematical definitions and examples are also provided.
This standard specifies a cryptographic syntax scheme that can be used to protect financial transactions, files and other messages from unauthorized disclosure and modification. The cryptographic syntax scheme is based on an abstract Cryptographic Message Syntax (CMS) schema whose concrete values can be represented using either a compact, efficient, binary encoding, or as a flexible, human-readable, XML markup format.
This Standard defines methods for digital signature generation and verification for the protection of messages and data giving partial message recovery.This document is Part 1 of this Standard, and it defines the Elliptic Curve Pintsov-Vanstone Signature (ECPVS) digital signature algorithm. Part 2 of this Standard defines the Finite Field Pintsov-Vanstone Signature (FFPVS) digital signature algorithm. ECPVS is a signature scheme with low message expansion (overhead) and variable length recoverable and visible message parts. ECPVS is ideally suited for short messages, yet is flexible enough to handle messages of any length.The ECPVS shall be used in conjunction with an Approved hash function and an Approved symmetric encryption scheme. In addition, this ECPVS Standard provides the criteria for checking the message redundancy.
This part of ANSI X9.97 specifies the security characteristics for secure cryptographic devices (SCDs) based on the cryptographic processes defined in ISO 9564, ISO 16609, and ISO 11568. This part of ANSI X9.97 has two primary purposes: - to state the security characteristics concerning both the operational characteristics of SCDs and the management of such devices throughout all stages of their life cycle; - to provide guidance for methodologies to verify compliance with those requirements. This information is contained in Annex A. ANSI X9.97-2 specifies checklists to be used to evaluate secure cryptographic devices (SCDs) incorporating cryptographic processes as specified in ISO 9564-1, ISO 9564-2, ISO 16609, ISO 11568-1, ISO 11568-2, ISO 11568-3, ISO 11568-4, ISO 11568-5, and ISO 11568-6 in the financial services environment. Annex A provides an informative illustration of the concepts of security levels described in this part of ANSI X9.97 as being applicable to SCDs. This part of ANSI X9.97 does not address issues arising from the denial of service of an SCD. Specific requirements for the security characteristics and management of specific types of SCD functionality used in the retail financial services environment are contained in ANSI X9.97 2.
This standard specifies four key wrap mechanisms based on ASC X9 approved symmetric key block ciphers whose block size is either 64 bits or 128 bits. The key wrap mechanisms can provide assurance of the confidentiality and the integrity of data, especially cryptographic keys or other specialized data.
This part of X9.119 defines minimum security requirements when employing encryption methods to protect sensitive payment card data. For the purpose of this standard “protection” refers to maintaining the secrecy of the data from unauthorized disclosure. It applies to protection of the data from the point of encryption to the point of decryption, wherever those points may be in a given system.