The Chinese government is looking to force security vendors to disclose their encryption information based on new regulations that will come into effect on Saturday. The regulations stipulate that companies selling products that fit into one (or more) of six categories must submit their encryption information to a government panel to receive a license to sell to Chinese government agencies, The Register reports.
EU and U.S. authorities are against the new measures, saying that handing over such information is “something companies cannot and will not do,” according to the president of the European Union Chamber of Commerce Jorg Wuttke.
It is still unclear if U.S. and EU companies would be required to reveal encryption techniques, which are available publicly, or cryptographic keys, which generally remain secret.
The Chinese government is looking to force security vendors to disclose their encryption information based on new regulations that will come into effect on Saturday. The regulations stipulate that companies selling products that fit into one (or more) of six categories must submit their encryption information to a government panel to receive a license to sell to Chinese government agencies, The Register reports.
EU and U.S. authorities are against the new measures, saying that handing over such information is “something companies cannot and will not do,” according to the president of the European Union Chamber of Commerce Jorg Wuttke.
It is still unclear if U.S. and EU companies would be required to reveal encryption techniques, which are available publicly, or cryptographic keys, which generally remain secret.
The PCI Security Standards Council is studying a number of emerging technologies and plans to issue a guidance document on end-to-end encryption when it releases the next version of the PCI Data Security Standards (PCI DSS), due out in October. Bob Russo, general manager of the PCI Council, said researchers are preparing documentation on what he calls the latest industry "big buzz word." Other technologies being studied include the use of tokenization and chip and PIN technologies to protect credit card data and how virtualization affects data protection technologies. In this interview, conducted at the recent 2010 RSA Security Conference, Russo explains whether the next version of PCI DSS will have any major changes and why the Council takes a cautious approach to adding changes to the standard.
In 2009 there were no changes made to the PCI Data Security Standards. How would you characterize the year for the payment industry, given the massive breach at Heartland Payment Systems Inc. and the down economy?
Bob Russo: In 2009 we were seeing a lot of uptake on the standard. Since it's a global standard, we're seeing it throughout the world. We're doing lots of training and lots of awareness-type seminars for literally every place around the world. All of our training is pretty much sold out. This year we've had to add training sessions so people can understand what the standard is and get better prepared for an assessment. So overall 2009 was a very good year for the Council, but 2010 is a very busy year for us. We're releasing three standards this year in eight different languages, so we're working hard.
Bob Russo
The PCI Security Standards Council recently undertook a study examining emerging technologies that could be used in future versions of the standard. Can you talk about some of those technologies that we may see in the future?
Russo: We're studying a couple [of technologies] right now to give additional guidance on them hopefully this year when we release the standard. Chip (chip and PIN) [is being studied] as an initial technology, because chip is a mature technology. There's a lot known about the technology. We have a lot of experience with it outside the United States, so we're looking at chip and we're actually mapping how chip would compare with the standard. We certainly don't think that there's a silver bullet in any of these technologies, whether it is chip and PIN, end-to-end encryption as the buzz word goes, tokenization or anything of that nature. The second [technology being studied] will be some form of encryption. I don't like the term end-to-end encryption. Whether it is point-to-point encryption, account data encryption or transaction-based encryption, whatever it ends up being, we will be mapping that as well. Then we'll be moving on to other technologies including tokenization and virtualization. We're creating a framework right now where we map these technologies out and lay them next to the standards, so if somebody is using one of these technologies, [the framework] will let them know if they would satisfy certain requirements.
The standard is due for a revision in 2010. Can you give merchants an idea of what may be addressed?
Russo: At this point we're going through a ton of feedback. Our feedback analysis closes at the end of April. We're finding this feedback fits into three categories: additional guidance, clarifications and then these emerging trends or emerging requirements. With a couple of thousand pieces of feedback that we're looking through, there's conflicting types of things there. We have conflicting opinions on what certain things should be. … The biggest thing that will affect the standard going forward is: how to best protect the data and then how much will this cost a merchant, the return on investment and whether there's anything that changes fundamentally the way the merchant actually will have to comply with the standard in the way they do business. If there's something that changes fundamentally the way they do business, certainly we can't put that in initially and have people go out of compliance. In some cases that would have to be a best practice for a certain period of time. In the last version of the standard, requirement 6.6 was a best practice for 18 months, so people had the opportunity to back into it because it was a big change in the way they complied. It's still too early to tell if this will be a version 2 or a version 1.3.
Russo: With end-to-end encryption one of the questions we have is: From what end to what end? That's an issue. It's a very big buzz word. There are no standards yet for this type of encryption and how the keys are handled. In many cases you can end up making things less secure based on how you do this. You mentioned Heartland's [E3 product], that's one solution. There are probably a dozen solutions out there. Do they talk to each other? Are they interoperable? What if a merchant is using more than one? These are things that will have to be considered when looking at this. What we'll be studying is an encryption solution and the minimum level of things that need to be done with an encryption solution. Once we've got that we'll put out some guidance, probably nothing specific within the standard. The standard won't change, but there will be guidance based on using these things.
Tokenization is also making its way in some encryption products. Can that make its way in the next version of the standard?
Russo: Certainly [tokenization] guidance could make its way in. I don't see us requiring any kind of tokenization, end-to-end encryption or chip technology in this version, but certainly [we will issue] guidance on these things. If a merchant has already started down a path and spent some dollars on one technology, certainly it would not be in our best interest to say "you chose the wrong technology now you need to use this technology." So there will be guidance on each one of these things that we roll out.
The PCI Security Standards Council is studying a number of emerging technologies and plans to issue a guidance document on end-to-end encryption when it releases the next version of the PCI Data Security Standards (PCI DSS), due out in October. Bob Russo, general manager of the PCI Council, said researchers are preparing documentation on what he calls the latest industry "big buzz word." Other technologies being studied include the use of tokenization and chip and PIN technologies to protect credit card data and how virtualization affects data protection technologies. In this interview, conducted at the recent 2010 RSA Security Conference, Russo explains whether the next version of PCI DSS will have any major changes and why the Council takes a cautious approach to adding changes to the standard.
In 2009 there were no changes made to the PCI Data Security Standards. How would you characterize the year for the payment industry, given the massive breach at Heartland Payment Systems Inc. and the down economy?
Bob Russo: In 2009 we were seeing a lot of uptake on the standard. Since it's a global standard, we're seeing it throughout the world. We're doing lots of training and lots of awareness-type seminars for literally every place around the world. All of our training is pretty much sold out. This year we've had to add training sessions so people can understand what the standard is and get better prepared for an assessment. So overall 2009 was a very good year for the Council, but 2010 is a very busy year for us. We're releasing three standards this year in eight different languages, so we're working hard.
Bob Russo
The PCI Security Standards Council recently undertook a study examining emerging technologies that could be used in future versions of the standard. Can you talk about some of those technologies that we may see in the future?
Russo: We're studying a couple [of technologies] right now to give additional guidance on them hopefully this year when we release the standard. Chip (chip and PIN) [is being studied] as an initial technology, because chip is a mature technology. There's a lot known about the technology. We have a lot of experience with it outside the United States, so we're looking at chip and we're actually mapping how chip would compare with the standard. We certainly don't think that there's a silver bullet in any of these technologies, whether it is chip and PIN, end-to-end encryption as the buzz word goes, tokenization or anything of that nature. The second [technology being studied] will be some form of encryption. I don't like the term end-to-end encryption. Whether it is point-to-point encryption, account data encryption or transaction-based encryption, whatever it ends up being, we will be mapping that as well. Then we'll be moving on to other technologies including tokenization and virtualization. We're creating a framework right now where we map these technologies out and lay them next to the standards, so if somebody is using one of these technologies, [the framework] will let them know if they would satisfy certain requirements.
The standard is due for a revision in 2010. Can you give merchants an idea of what may be addressed?
Russo: At this point we're going through a ton of feedback. Our feedback analysis closes at the end of April. We're finding this feedback fits into three categories: additional guidance, clarifications and then these emerging trends or emerging requirements. With a couple of thousand pieces of feedback that we're looking through, there's conflicting types of things there. We have conflicting opinions on what certain things should be. … The biggest thing that will affect the standard going forward is: how to best protect the data and then how much will this cost a merchant, the return on investment and whether there's anything that changes fundamentally the way the merchant actually will have to comply with the standard in the way they do business. If there's something that changes fundamentally the way they do business, certainly we can't put that in initially and have people go out of compliance. In some cases that would have to be a best practice for a certain period of time. In the last version of the standard, requirement 6.6 was a best practice for 18 months, so people had the opportunity to back into it because it was a big change in the way they complied. It's still too early to tell if this will be a version 2 or a version 1.3.
Russo: With end-to-end encryption one of the questions we have is: From what end to what end? That's an issue. It's a very big buzz word. There are no standards yet for this type of encryption and how the keys are handled. In many cases you can end up making things less secure based on how you do this. You mentioned Heartland's [E3 product], that's one solution. There are probably a dozen solutions out there. Do they talk to each other? Are they interoperable? What if a merchant is using more than one? These are things that will have to be considered when looking at this. What we'll be studying is an encryption solution and the minimum level of things that need to be done with an encryption solution. Once we've got that we'll put out some guidance, probably nothing specific within the standard. The standard won't change, but there will be guidance based on using these things.
Tokenization is also making its way in some encryption products. Can that make its way in the next version of the standard?
Russo: Certainly [tokenization] guidance could make its way in. I don't see us requiring any kind of tokenization, end-to-end encryption or chip technology in this version, but certainly [we will issue] guidance on these things. If a merchant has already started down a path and spent some dollars on one technology, certainly it would not be in our best interest to say "you chose the wrong technology now you need to use this technology." So there will be guidance on each one of these things that we roll out.
SSL is flawed. Now, according to a new paper from University of Michigan computer scientists, we can add RSA Authentication to that list. Help Net Security reports that "The most common digital security technique used to protect both media copyright and Internet communications has a major weakness.
RSA authentication is a popular encryption method used in media players, laptop computers, smartphones, servers and other devices.
Retailers and banks also depend on it to ensure the safety of their customers' information online.
The paper is called "Fault-based Attack of RSA Authentication", and you can get it here.
Thanks for Visiting - Bookmark us or Add to your Favorites and Find Out What's Going on Tomorrow in the Payments Industry
Encryption based on the fragility of quantum states could be used to protect consumers from card fraud
* Christine Evans-Pughe * The Guardian, Thursday October 9 2008
If a fraudster copies the numbers from your bank debit or credit cards, there's little to stop them going on a shopping spree online. This kind of fraud - known as card-not-present (CNP)- exceeded £290m in the UK last year and is a growing problem. It could also be one of the first consumer applications to benefit from quantum key distribution.
Quantum key distribution - or QKD for short - exploits the quantum mechanical properties of light particles (photons) to generate secret keys (strings of random numbers) that can be shared between two parties (for example, you and your bank) and used to encrypt data to safeguard it from snoopers. Typically, QKD systems transmit a stream of differently oriented photons to represent 1s and 0s through an optical fibre or a free space link. The snooper-proofing is intrinsic due to the fragility of quantum states: if you try to measure them they collapse, which is a marker for tampering, alerting the legitimate users to the presence of an eavesdropper.
Can you keep a secret?
Using quantum keys to encrypt data is at present only of interest to banks, governments and defense organizations which might need to move lots of confidential information securely between sites. But a demonstration in Vienna this week takes the technology to a different level, by integrating quantum key distribution into a standard communications network.
The event will show VoIP, videoconferencing and web services encrypted with constantly refreshed quantum keys. It will also include a prototype solution to card-not-present fraud, developed by Professor John Rarity from the University of Bristol and Hewlett Packard Research Labs.
The idea is that we would fill up our mobile phones or similar handheld devices with secrets (random strings of digits) at a quantum ATM. During online transactions, we would gradually consume this personal stash of secrets to encrypt information, such as our PIN, or to authenticate ourselves.
"The quantum part gives you the promise that when you've topped up your secrets, only you and your service provider own this particular random digit string," says Tim Spiller of HP. "If you're doing an internet transaction, you send the merchant however many secret bits is deemed to be secure. The merchant sends them on to Visa, say, who checks they're OK and if so authenticates the transaction."
The Vienna event is the culmination of a four-year EU project called SECOQC (Secure Communication based on Quantum Cryptography) to bring QKD technology to the mainstream. The SECOQC partners - who are now defining a European technical standard - include Siemens, Toshiba, Hewlett Packard, ID Quantique, Thales and Qinetiq as well as leading quantum scientists.
For the demo, Siemens has installed seven quantum key links into a standard metropolitan fiber-optic communications network that runs around Vienna and connects several of its sites. The network has been successfully running in test mode for several weeks now, according to Wolfgang Richter of Siemens.
Quantum keys won't be able to encrypt data traffic in real-world networks until standards have been finalized. However, SECOQC project leader Christian Monyk is optimistic. " We could produce it in six months."
When (or if) consumers enter the picture is difficult to predict. Rarity and HP's technology is "on the banks' radars", according to Spiller. But the point about their system is that it's potentially very cheap. HP's vision is that mobile phones could easily include half a short-range QKD system (which they say can be built from some standard LEDS and a low-cost integrated optical circuit). "Getting that into the market would depend on demand but five years is reasonable," says Spiller.
No hiccups
Meanwhile, quantum cryptography is gaining interest. Last year, ID Quantique's simple point-to-point quantum key distribution technology was used to guarantee the security of votes cast in Geneva during the Swiss general election. This summer, the defence and security company Qinetiq has been doing trials in London with network operator AboveNet, which provides fibre-optic connections for businesses. "We've done some experiments sending polarised photons through part of their network," says Dr Brian Lowans of Qinetiq. "We didn't have any hiccups."
![Reblog this post [with Zemanta]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_tmRe1iLr0ZPLjFOwXYGujEw0grGlHE_NfrBYrnpVtvkPLTHF2bRgHKemJpVXIdCW1HrVylc96fVX28FxwP-BByfJfK_spuc0YW8hN-Shveomu9VtAq_31s5CKPXFeEQeEjIbs0JVNPEPpWfGxDaFRu=s0-d)
![Reblog this post [with Zemanta]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_sl3Aj1u0e6F6ufKPG3DVJfaJ0QVmZ_nOvkFirMEyG_Rs65Hbf33oiB6kkUN0ZHXFTgPvUEmPhCr68ivOlDr36Fpnwh23gg7O08RzVkicvuscEXZy1p12DO0jtcxnXuVi1uoGGtkJFA-77rZXOs0uxD=s0-d)
![Reblog this post [with Zemanta]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_srvPKlN2fQY2snbwUcHocetgBJp7SoQkHQpBl_uytEWsrmFEHUJYAPvJK97A3PfufPy8Ppuqtpg-n5eO1NCh_ETgVFBuCUTSZ8z6Fn6QCfjsk_3FXwdH1Jj3LvL8-8S_tr4VYuxpfwXJ08wnWqH21O=s0-d)