 |
When we analyze the security of point of sale (PoS) applications, we must keep in mind the necessary presence of magnetic bands and the data of the owners of cards, which are extremely sensitive information, both for the owner as well as for the financial institution that provides them.
In any space in which there’s information that needs to be protected and safeguarded, there lies the imperious necessity of using cryptographic solutions, the ones that originated in battlefields and which today are capable of protecting the confidentiality and integrity of said data. It's not enough to use certain safe protocols, it is also necessary and imperative to make a correct and proper implementation at a software and hardware level.
As obvious as it may seem, cryptography is an essential part of a point of sale, as well as in any other digital forms of payment used today. Complementing the pillars of confidentiality and integrity, authentication and non-repudiation come into play, which means that an operation cannot let itself be unknown to the user.
In terminals, mainly three groups of cryptographic algorithms converge which are used in heterogeneous technologies, where they mix with one another and with many architectures within the point-of-sale devices. Each one of these groups has advantages and disadvantages in relation to one another.
The main point where we will be able to distinguish great differences are linked to resource consumption, speed and even the ease of implementation in the different sections that point-of-sale devices have. The way of storing a password, the way of encrypting the communication between two points or even the degree of safety needed will be the way in which either one of the following algorithms will be implemented.
The same password is shared for the encryption and decryption of information. This algorithm is very fast, but at the same time it is less secure and it definitely needs both parts to have already exchanged their key or password to begin the communication. A couple of examples of symmetric-key cryptography are the 3DES and AES algorithms.
As obvious as it may seem, cryptography is an essential part of a point of sale, as well as in any other digital forms of payment used today. Complementing the pillars of confidentiality and integrity, authentication and non-repudiation come into play, which means that an operation cannot let itself be unknown to the user.
In terminals, mainly three groups of cryptographic algorithms converge which are used in heterogeneous technologies, where they mix with one another and with many architectures within the point-of-sale devices. Each one of these groups has advantages and disadvantages in relation to one another.
The main point where we will be able to distinguish great differences are linked to resource consumption, speed and even the ease of implementation in the different sections that point-of-sale devices have. The way of storing a password, the way of encrypting the communication between two points or even the degree of safety needed will be the way in which either one of the following algorithms will be implemented.
Symmetric-key algorithms
The same password is shared for the encryption and decryption of information. This algorithm is very fast, but at the same time it is less secure and it definitely needs both parts to have already exchanged their key or password to begin the communication. A couple of examples of symmetric-key cryptography are the 3DES and AES algorithms.
Asymmetric-key algorithms
 |
They contain two keys: a public and a private one. This way, the same one cannot be used to encrypt and decrypt the information. Both keys are generated at the same time and the private one is safeguarded, which is the one that will be used to read; and the public one is distributed, which is the one that will write, encrypting the communication. Two extensively used examples of asymmetric-key cryptography or public key infrastructure (PKI) are email messages sent through PGP (Pretty Good Privacy), or the network traffic encrypted with SSL or TLS. These are widely used in transactional websites or those that require the user to enter a set of credentials.
These functions capture a variable-length information and generate an output commonly called fixed-length hash, based on the input. These functions used in cryptography have the property of being easily calculated, which is why they're widely used to store passwords, since it is difficult -in many cases- to recreate the input if only the value of the hash is known.
One-way algorithm or hash
These functions capture a variable-length information and generate an output commonly called fixed-length hash, based on the input. These functions used in cryptography have the property of being easily calculated, which is why they're widely used to store passwords, since it is difficult -in many cases- to recreate the input if only the value of the hash is known.
When it comes to encryption algorithms, size does matter
A general rule for all encryption algorithms is: the bigger, the better. This is due to the fact that the most simple way of attacking encryption is a brute force attack, testing all the possible combinations of bits, until finally the desired string is found. With the data combination processing capacity of modern computers, it is possible to apply brute force techniques to obtain relatively long passwords made out of several bits or characters.
For instance, DES with a 56 bit combination password can be cracked in less than a day. However, the addition of more bits to the string will exponentially increase the time required for the cracking process to finish. The most widely used hash algorithms are MD5 (128 bits) and SHA1 (160 bits) which curiously are not very robust when it comes to security in comparison with Triple DES or AES, both of which are recommended by the NSA.
To sum up, the diversity in the different types of point of sale devices, both in modular and compact machines, will keep rising and the telecommunication technologies will also accompany this constant evolution, generating greater indices of speed and availability. However, cryptographic algorithms in many cases don't go hand-in-hand with the development of point of sale devices from the initial stage of the design, which leaves an open window through which cyber criminals are able to break into systems and extract different types of information.
Malicious codes are able to sort these cryptographic processes in payment terminals or point of sale devices, applied in certain specific layers with the intention of capturing sensitive information.
Recent contents
Read Don Burns' "What Is Encryption And How Can It Work For Me?"
For instance, DES with a 56 bit combination password can be cracked in less than a day. However, the addition of more bits to the string will exponentially increase the time required for the cracking process to finish. The most widely used hash algorithms are MD5 (128 bits) and SHA1 (160 bits) which curiously are not very robust when it comes to security in comparison with Triple DES or AES, both of which are recommended by the NSA.
To sum up, the diversity in the different types of point of sale devices, both in modular and compact machines, will keep rising and the telecommunication technologies will also accompany this constant evolution, generating greater indices of speed and availability. However, cryptographic algorithms in many cases don't go hand-in-hand with the development of point of sale devices from the initial stage of the design, which leaves an open window through which cyber criminals are able to break into systems and extract different types of information.
Malicious codes are able to sort these cryptographic processes in payment terminals or point of sale devices, applied in certain specific layers with the intention of capturing sensitive information.
Recent contents
Read Don Burns' "What Is Encryption And How Can It Work For Me?"
No comments:
Post a Comment