Four pillars of payments security, one solution: Welcome to the age of AKB
The retail market relies on payments security, yet encryption hasn’t treated four distinct security fundamentals as a whole—until now.
In this ever-growing, evolving world of payments security, encryption and cryptography play important roles by protecting users from the bad guys. While attacks on poorly designed applications are more common, a more sophisticated attack is designed to exploit the weakest link in the chain or algorithm that protects it. To constantly protect from the threats of data breaches, newer and stronger algorithms are needed that also strengthen the chain as a whole. To that end, security methodology fundamentals rely on four key pillars:
- Identification (who)
- Authentication (integrity)
- Authorization (privilege)
- Confidentiality (encryption)
Multiple advancements have taken place within each pillar. Yet the methodologies or designs only saw them as unique, separate entities—and continued advancement in each point as standalone. Organizations focused on one without treating the four as part of a complete solution yet in reality, these key pillars are interrelated and should be treated as such.
The non-cash retail payment market relies on security. The algorithm’s journey from data encryption (DES) to Triple Data Encryption (TDEA or 3DES) in the early 2000s paralleled the National Institute of Standards and Technology’s approval of and recommendation for organizations to adopt the stronger algorithm. The ease of CPU processing and quantum computing now brings 3DES encryption into question; NIST’s currently recommends migration to Advanced Encryption Standard (AES)—an even stronger algorithm.
Along with the encryption algorithms, further strengthening of security measures resulted from the introduction of the Initialization Vector (IV), which ensures no repetition in the encrypted data (cipher text). IV greatly reduces the ability to detect a pattern and thus disables the possibility of deciphering the cipher text. Thus, the race began to solve the current algorithm problem, while introducing newer weaknesses and a new problem to solve. Yet the race neglected how to address the four key pillars as a whole rather than part by part. Thus, the requirement arose for additional foolproof digital fencing: logical and physical controls.
The middleman cuts in, but AKB holds the key
As the industry looked to address the four key pillars, man-in-the-middle attacks (MiTM) remained a potential problem in cryptography and encryption. MiTM attacks exploit the weakest point in the chain. Not having a strong relationship between the encryption key and its designed attribute (encryption, decryption, exportability, etc.) meant that an interceptor (MiTM) could change the behavior of the outcome.
The Payment Card Industry (PCI) Security Standards Council released a bulletin in March 2017 for PCI PIN Security Requirement 18-3. It provides a revised plan to implement managed structures (called key blocks) to address the individuality of the four pillars. This requires organizations to consider the pillars as a whole—and not individual items. A specification, published in ANSI X9 TR-31, defines the AES key-wrap process, also commonly known as ANSI Key Block (AKB).
AKB was the first market-specified published key block that resolved this by hard binding the key with the intended attributes along with the integrity to ensure that the cipher text hasn’t been modified.
The AKB brings two important features. The key is protected by using the approved key bundling standard requirements, thus greatly reducing MiTM attacks. Additionally, key usage attributes are securely bound to the key itself. This prevents misuse of the key type or its intended use. For example, the key is identified as an encryption key—so it can’t be used to decrypt data or for key exportability.
AKB was the first market-specified published key block that resolved this by hard binding the key with the intended attributes along with the integrity to ensure that the cipher text hasn’t been modified. The AKB brings two important features. The key is protected by using the approved key bundling standard requirements, thus greatly reducing MiTM attacks. Additionally, key usage attributes are securely bound to the key itself. This prevents misuse of the key type or its intended use. For example, the key is identified as an encryption key—so it can’t be used to decrypt data or for key exportability.
With payments disruption and an emerging landscape questioning the status quo—along with increasing non-bank competition such as the Internet of Things, mobile wallets, gift cards and fleet cards brought by commercialization—a greater need exists to ensure the payment market is well protected, while fostering growth and innovation. AKB’s adoption by the regulatory bodies such as PCI will unite the four key pillars into a cogent whole.