Encryption

From New Media Business Blog

Revision as of 08:24, 4 December 2016 by Avchan (Talk | contribs)
Jump to: navigation, search

Encryption is the backbone of trust on the internet. (...how you determine that something is said by who said they said it).

Contents

Overview

This word is bold[1]

Principles behind encryption

Encryption is based on signing a message (... with a mathematical signature).

http://stackoverflow.com/questions/6054082/recommended-of-iterations-when-using-pbkdf2-sha256

Modern Encryption Standards

Salts

Peppers

AES

bcrypt

scrypt

Styles of encryption

Public key

Steganography

Secret sharing

https://en.wikipedia.org/wiki/Shamir%27s_Secret_Sharing https://www.vaultproject.io/

Modern uses of encryption

Payments Industry

Fraud and Lead Up to EMV

According to a paper by the Smart Card Alliance Payments Council (Smart Card Alliance), a US non-profit organization leading smart card technology discussion, there are three technologies currently used globally to secure transactions; they are EMV, End-to-End encryption (E2EE), and Tokenization. The Smart Card Alliance notes that all three technologies used in conjunction, or in a layered approach, is considered to be the best available solution for payments protection. This section will explain how EMV technology emerged as the payments standard globally, how each payment technology works throughout a card-present and card-not-present (CNP) transaction, and how payment encryption could improve in the future.

EMV Technology

The EMV payment specification has been available to the global payments industry since 1996, is currently the global security standard for card payments, and is managed by EMVCo (Europay, MasterCard, and Visa). (http://www.smartcardalliance.org/downloads/EMV-Tokenization-Encryption-WP-FINAL.pdf) EMV works to secure credit and debit card transactions through embedding a microprocessor circuit chip into a physical object, typically a plastic card, and can also be supported by NFC-enabled smartphones. For a more detailed explanation of EMV functionality please refer to the Functionality and Benefits of EMV section. The Smart Card Alliance notes that though EMV technology has been available for over 20 years and is proven to be more effective at preventing counterfeit fraud than magnetic stripe technology, financial institutions and merchants in Europe, Latin America, Asia, and Canada have adopted EMV earlier than the US. This is said to be attributed to a historically more secure and sophisticated magnetic stripe transaction environment compared to the rest of the world, but the recent moves to EMV chip-based architecture globally has led the US to be a comparatively weaker infrastructure. You can see an example of the increasing security concern over magnetic stripe technology in the US compared to Canada’s EMV infrastructure in the figure by the Wall Street Journal. (http://www.wsj.com/articles/chip-card-rollout-has-banks-retailers-scrambling-1429568104)

With the increasingly apparent weakness of a magnetic stripe infrastructure in the US, American Express, Discover, MasterCard, and Visa announced migration plans to chip-based technology in the US in 2011 and set policies for card-present fraud liability shift to merchants without EMV enabled by 2017.

Functionality and Benefits of EMV

In a card-present environment where customers are physically present in a merchant’s store, EMV chips on cards are powered by the merchant card reader, and if the reader is dual-interface, physical contact or contactless (tap) communication is used. Physical contact requires a contact plate on the card to be inserted into the merchant reader while contactless communication uses radio frequency and an embedded antenna. According to the Smart Card Alliance, EMV chip cards are designed to store sensitive data securely and “have the processing power to perform cryptographic computations dynamically, as opposed to magnetic stripe cards that use static data.” This means that for each transaction, a unique digital signature or cryptogram is generated by the card chip using an algorithm and applied to the card, the acceptance device, and transaction-specific data. By having each transaction require decryption of transaction-specific data for card authorization, stolen card data is heavily devalued and cannot be used to create a counterfeit magnetic stripe card. As well, the Smart Card Alliance notes that a counterfeit magnetic stripe card would also not have the service code number or chip that only the original physical card has, so validation will fail. Online (in-person) card authentication and offline (CNP) transactions also use different cryptography methods (asymmetric for CNP and symmetric cryptography for online), but both still generate a unique cryptogram as part of the authorization process. In summary, an EMV chip-enabled card prevents card fraud more effectively than a magnetic stripe card due to its ability to generate encrypted dynamic data in each transaction compared to magnetic stripe static data that uses a physical card code for authentication.

Transaction Data Encryption

According to the Smart Card Alliance, transaction data encryption for payments has two approaches used by merchants and payment processors; they are end-to-end encryption (E2EE) and point-to-point encryption (P2PE). The E2EE method encrypts the cardholder data at the point of interaction with a payment system at a POS terminal and remains encrypted until it reaches a Payment Card Industry Data Security Standard (PCI) compliant processor or acquirer where the data is decrypted. For P2PE encryption, cardholder data is also encrypted at point of interaction with the payment system, but the data can be decrypted by third parties such as a gateway provider or independent sales organization (ISO). However, the Smart Card Alliance notes that in both solutions the merchant never has access to the cryptographic keys or raw cardholder data, and all parties involved with the payment process must be PCI Compliant. Encryption can also be applied to multiple card-present (hardware-based) payment standards, such as magnetic stripe reader (MSR) POS interfaces, signature/PIN capture MSR POS interfaces, and EMV-enabled signature/PIN encrypting MSR POS interfaces. For CNP or software-based encryption, the encryption process starts at the browser.

Through the encryption process like EMV, cardholder data becomes significantly devalued, as “criminals cannot monetize data that they cannot decrypt,” and EMV can further complicate the stolen data by encrypting different types of transaction data. Thus, encryption contributes to overall payment data confidentiality and integrity.

Tokenization

In addition to EMV and data encryption, tokenization...(TBD)

Future of Encryption in Payments

Web

Facebook implementation:

SSL

HTTPS Everywhere

Modern encryption software

https://matrix.org/blog/2016/11/21/matrixs-olm-end-to-end-encryption-security-assessment-released-and-implemented-cross-platform-on-riot-at-last/

Tor

Veracrypt

Password Managers

https://tonyarcieri.com/4-fatal-flaws-in-deterministic-password-managers

Threats

Moore's Law

Quantum Computing

Political ramifications

Notes

Further reading (name: External links?)

References

  1. whatever.com - a great website
Personal tools