PCI DSS and Regulatory Compliance Blog

SSL and PCI Compliance

January 1st, 2007 Posted in Compliance, Encryption, PCI DSS, Web Applications

lock.jpgFor many merchants and service providers, the primary point of contact to customers is through a web page/service secured using an SSL connection. Of course, such a connection is emphatically in scope of the requirements of the PCI DSS; most obviously requirement 4 that covers the encryption of data transmitted over a public network.

Many people are unsure how to reconcile these requirements with the ‘export grade’ SSL encryption that were ubiquitous only a few years ago.

These ‘export grade’ encryption systems were the direct result of the US export restrictions on strong cryptography that classified such cryptographic systems as munitions, and therefore prohibited their export from the country. Fortunately, the restrictions around the export of cryptography has been significantly relaxed since the late 1990’s, with new legislation allowing licensed distribution to most international countries being passing in early 2000. Requirements for the licensing of cryptographic systems are still being updated.

This change in policy has resulted in the effective extinction of the ‘International’ version of the web browser - where the cryptography was deliberately dumbed down to an export compliant level.

So, what does all this mean for a web site trying to meet the PCI DSS requirements for strong encryption of cardholder data? The restrictions in this area have been relaxed for long enough that by enforcing only high level encryption on your web site, it is unlikely that you will be turning away any potential customers, regardless of the country they are from.

The next obvious question is how can I do this?

Of course, you can configure your web server to only accept ciphersuites that are compatible with the requirements (ie RC4 or better, with a secret key length of 128 bits or more - actually 112 bits for two key triple DES, if you want to be pedantic). In Apache this is done with the ‘SSLCipherSuite’ directive. I find it very useful to use the openssl ‘ciphers’ command to check which ciphersuites are enabled by any particular SSLCipherSuite directive, before going to the trouble of updating the webserver (eg, “openssl ciphers -v “ALL:!SSLv2″ will return a list of all ciphersuites, excluding all those from SSL v2).

Once you’ve got your webserver setup you can check it with an automated tool such as SSLDigger, or run through each ciphersuite by hand (eg by using a script, or by individually enabling each ciphersuite using the about:config interface in Firefox). My personal preference is to do things using my own tools/scripts, for reasons I will expand upon below.

So, how come many sites still appear to be using low grade crypto? Remember that the requirement is to secure cardholder data. There is no problem with enabling all ciphersuites - with high, low, or even no cryptography - and redirecting those customers whose browsers are not using compliant cryptography to another web page that does not put cardholder data at risk. This technique is used by many larger online sites, and is why I do not necessarily trust automated tools when testing SSL connections. A valid connection may not necessarily result in the ability to transfer cardholder data.

You can, of course, redirect the customer on a failed SSL connection request to achieve the same end. However, redirecting based on the type of connection provides the customer with the SSL connection they are expecting (lock icon, different colour address bar, etc).

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

  1. 5 Responses to “SSL and PCI Compliance”

  2. By Sawaba on Jan 3, 2007

    Verisign is making a fortune selling their “Secure Site Pro” product, because the average administrator doesn’t know how to restrict insecure ciphersuites. $600 more per certificate adds up quick for companies with a lot of webservers.

  3. By datasecurity on Jan 5, 2007

    I read over on the RC4 wiki that it is not a secure algorithm. Is this correct?

    While remarkable in its simplicity, RC4 falls short of the high standards of security set by cryptographers, and some ways of using RC4 can lead to very insecure cryptosystems (including WEP). It is not recommended for use in new systems.

  4. By pinsecurity on Jan 6, 2007

    When compared to AES, or even triple DES, then yes - RC4 is kinda sucky. However, it’s weaknesses can be compensated to some extent by the implementation, as it is in WPA by using TKIP. The major problems with RC4 are compensated for in SSL/TLS, and I personally do not know of any SSL exploits that are based on the weaknesses of RC4 (when using full entropy 128 bit keys).

    If you want to make sure your SSL site is bullet proof (at least when it comes to the strength of the ciphersuites) you could turn off all ciphersuites except those that use 256 bit AES with SHA-1. However, I do not think that the potential risk of using RC4, triple DES, or MD5 warrent such action. There are much easier ways to get card data than breaking the crypto on an SSL connection that uses these ciphers.

  1. 2 Trackback(s)

  2. Apr 5, 2007: PCI DIY - Checking for Weak SSL Encryption with OpenSSL at PCI Compliance Demystified
  3. Jun 19, 2007: Ambersail Infosec Roundup » Blog Archive » Running SSLv2 Will Cause PCI Failure

Post a Comment