amp 6700 security policy - · pdf fileprovides physical keypad, ... 10 for wireless...
TRANSCRIPT
AMP 6700 Security
Policy V 1.0.0
Advanced Mobile Payments Inc
www.amobilepayment.com
Revision History
Date Revision Level Description Modified by
2017-12-19 1.0.0 Original Issue Louis
Table of content 1 Purpose ........................................................................................................................................ 5
2 References ................................................................................................................................... 5
3 Device Identification And Inspection ........................................................................................ 6
3.1 Device Functions ................................................................................................................. 6
3.2 Appearance .......................................................................................................................... 6
3.3 Version Information ............................................................................................................ 6
3.4 Identification ....................................................................................................................... 8
3.5 H/W specification.............................................................................................................. 10
4 Security Guidance ..................................................................................................................... 12
4.1 Environmental Requirements ............................................................................................ 12
4.2 Self-Test ............................................................................................................................ 13
4.3 Periodic Security Inspection ............................................................................................. 13
4.4 Pin Shield checking guide ................................................................................................. 14
4.5 ICC shim checking guide .................................................................................................. 15
4.5 Second MSR checking guide ............................................................................................ 16
4.6 Change Default Values ...................................................................................................... 17
4.7 Installation Guidance ........................................................................................................ 18
4.8 Configuration Setting ........................................................................................................ 19
4.9 Sensitive Roles .................................................................................................................. 19
4.10 Update/Download ........................................................................................................... 19
4.11 Software develop Guidance............................................................................................. 20
4.11.1 The development process ............................................................................... 20
4.11.2 SRED applications development .................................................................... 21
4.11.3 SSL applications development ....................................................................... 21
4.12 Application Authentication.............................................................................................. 22
4.13 Manufacture Guidance .................................................................................................... 23
5 Key Management ...................................................................................................................... 23
5.1 Key Management systems................................................................................................. 23
5.2 Key Loading ...................................................................................................................... 24
5.3 Key Replacement .............................................................................................................. 24
5.4 Key Table .......................................................................................................................... 25
5.6 Key removal ...................................................................................................................... 25
6 Device Maintenance ................................................................................................................. 26
7 Vulnerability Detection and Follow-up Action ........................................................................ 26
8 Tamper Detection and Response ........................................................................................... 27
8.1 Tamper Trigger Events ...................................................................................................... 27
8.2 Tamper Response .............................................................................................................. 28
1 Purpose
This document is to describe a security policy which addresses the
proper use of AMP 6700 in a secure fashion, including information
on key-management responsibilities, administrative responsibilities,
device functionality, identification and environmental requirements.
Any unapproved using of AMP 6700 will result in an incompliant
with PCI PTS POI security requirement.
2 References
[1] PCI PTS POI Modular Derived Test Requirements Version 4.1 -
June 2015
[2] ANS X9.24-1:2009, Retail Financial Services Symmetric Key
Management Part 1: Using Symmetric Techniques
[3] X9 TR-31 2010, Interoperable Secure Key Exchange Key Block
Specification for Symmetric Algorithms
[4] ISO 9564-1, Financial services-Personal Identification Number
(PIN) management and security — Part 1: Basic principles and
requirements for PINs in card‐based systems
[5] ISO 9564-2, Banking-Personal Identification Number
management and security Part 2: Approved algorithms for PIN
encipherment
[6] AMP 6700 Software Development Kit
[7] AMP 6700 PRODUCT MANUAL.pdf
3 Device Identification And Inspection
3.1 Device Functions
AMP 6700 is an attended desk-mounted POS product; this device
provides physical keypad, contactless card reader, IC Card Reader
(ICCR), Security Magnetic Reader (MSR), LCD, TP. AMP 6700 is a
desk-mounted POS and there is a privacy shield covering the
Keypad area which can prevent the peep. The power system is
based on DC 9.5V power supply and the communications to the
external are based on USB, LAN, WIFI, or WCDMA/LTE wireless
connection.
3.2 Appearance
Please check whether the appearance of AMP 6700 is the same as
follow:
3.3 Version Information
Hardware version
The hardware version is printed on the label which is on the back of
device. It is to be notice that the label should not be torn off,
covered or altered.
Hardware Version Number
Use of “x” represents a
request for field to be a
variable
1 2 3 4 5 6 7 8 9 10 11 12 13
A M P 6 7 0 0 - X X - X
Variable ‘X’ position Description of Variable ‘X’ in the Selected Position.
10 For wireless communication,
O– No alternative module, use wire communication
A – only WCDMA
B – only Wi-Fi
C – only LTE
D – WCDMA + Wi-Fi
F – LTE + Wi-Fi
11 The colour of the device ,
O – Black
A – Blue
B – Yellow
C – Red
D – Golden
E – Grey
F – Silver
13 The power adapter plug
O – UK plug
A – USA plug
B – EU plug
Firmware Version
Firmware
version
number
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
1 . 3 - X X X X X X - S e c u r e
There are six variable ‘X’ in the firmware version, detailed as following.
variable ‘X’ position Description of Variable ‘X’ in the Selected Position
5~6 Range from 00 to 99, security related update, for example, fix
vulnerability of open protocol, this change does not add, remove
and/or modify the functionality of the device.
7~8 Range from 00 to 99, add new features, in order to support new
API of SDK, not related with security
9~10 Range from 00 to 99, bug fix, not related with security
The Firmware version can be view as following:
1. Power up AMP 6700 and go to home screen. Enter the Settings
function of system.
2. Select the “About” item.
3. You can see the Android version, Kernel version and Security Firmware
version.
3.4 Identification
For security, when receive the device via shipping, it must be
inspected and authenticated, if pass, you can use the device,
please inspect as following:
1. Check if the origin that providing the AMP 6700 device is
authorized, if not authorized, please reject.
2. Check if the device’s name, firmware, hardware and application
version are meet the approved identification number of PCI PTS
POI in the website (www.pcisecuritystandards.org).
3. Check if the appearance of AMP 6700 is altered, if found some
trace, please reject the device.
4. Check if something overlay on the keypad area in order to
prevent overlay attack.
5. Check if the ICC card slot has wire out or something that
suspicious, if so, reject the device.
6. Check if the Magcard reader slot has other reader or some
bugger, if found, reject the device.
7. Check if there something or bugger around the Pin Shield area,
if found, reject the device.
8. Check if the Pin Shield is the same as follow, if not, reject the
device.
3.5 H/W specification
Processor BCM58303,32-bit secure CPU, A9,1.25GHz
Memory 8GB NAND FLASH,1GB DDR3L
Display 7 inch,600*1024 TFT LCD
Keypad 10 alphanumeric keys, 3 function keys, 1 Reset key, with Backlight
Magnetic Card Reader Compliant with ISO7811, ISO7812; Track 1/2/3, bi-directional swipe; supports smart
error correcting
IC Card Reader 1 user card (EMV4.3), supports SLE4442 / SLE4428 memory card
PSAM Slot 2 PSAM slots, compliant with ISO7816; Supports PPS protocol, up to 300kbps.
Contactless Card Reader
(Optional)
Supports Mifare classic, Mifare Ultralight, Mifare DESFire, ISO 14443 A & B, SONY
FeliCa, with 4 indicator lights
Internal PED Supports MK/SK, Fixed, DUKPT
Internal Lan LAN1 support POE
Wireless (Optional) Wi-Fi / 4G
Peripheral Port
LAN: One support POE(default)
Serial port: RS232(RJ45, 12V Power Support)
USB: USB-Host(Type A),PUSB(Type B)
Power: Φ2.5 DC Jack
Power Supply Input: 100 ~ 240VAC, 50Hz/60Hz; Output: 9.5VDC,2.5A
Cable USB or Uart data cable
Signature pen On the left side of the product
System Android 4.X
Audio 2 Built-in speaker
Working Environment Temperature: 0℃ ~ 50℃(32℉ ~ 122℉); Humidity: 10% ~ 90% (non-condense)
Storage Environment Temperature: -20℃ ~ 60℃(-4℉ ~ 140℉); Humidity: 5% ~ 95% (non-condense)
Size 210*196*70mm
Weight 775g
Bracket Optional
Security PCI PTS, SRED
Certification CE, RoHS, FCC, PCI PTS ,EVM4.3 Level1&2, PBOC3.1,QPBOC3.X
4 Security Guidance
This section is mainly describe the security about how to use the
device and how to development process. Before using the device,
you should inspect the device carefully as following.
4.1 Environmental Requirements
AMP 6700 provide a privacy shield, when using, please cover by
your body to take care it is not overlooked behind your back when
entering PIN code.
1. Temperature & Humidity Environments
Operation Temperature & Humidity : 0 ℃ ~ 50℃ /10% ~ 90%
(non-condense)
Storage Temperature & Humidity : -20℃ ~ 60℃/ 5% ~ 95%
(non-condense)
If your Environment status is over that range, the terminal is not
always working.
2. Tamper Conditions
Tamper temperature: when CPU temperature lower than -45℃
or higher than 125℃, tamper will occur.
Tamper voltage: when BBL (Battery Backed Logic) voltage
lower than 1.9V or higher than 3.7V, tamper will occur.
Tamper frequency: when BBL (Battery Backed Logic) frequency
out of range 32.768KHz ± 20%, tamper will occur.
When tamper occurred, the keys used for transaction will lost,
you have to send device to vendor for repair.
3. Power Environments
Supply voltage is outside of range, approximately 2.0 < V < 3.63
Terminal should stay away from all sources of heat, to prevent
vibration, dust, moisture and electromagnetic radiation (such as a
computer screen, motor, security facilities etc.).
4.2 Self-Test
AMP 6700 using self-tests to check firmware integrity. The self-test
is performed:
1. Every time the unit is powered up.
2. Every time the unit is rebooted.
3. At least once every 24hours.
AMP 6700 performs a self-test, which includes firmware,
application, stored keys, authenticity and any other sensitive
properties tests to check whether the device is in a compromised
state. If the result is failed, the device displays the lock icon and
more tamper information on LCD and its functionality fail in a
secure manner. When the device goes to the “Compromised” mode,
all the stored keys are removed as well. The merchant must return
the device to Advanced Mobile Payments Inc for the repair.
Self-tests are not initiated by an operator.
4.3 Periodic Security Inspection
For the security using of AMP 6700, after a period using time, the
device must be inspected, only passed, the device can be used
continue.
1. You can look out the tampered information on LCD display to
check if the device is tampered, if tampered, please contact the
authorized service or Advanced Mobile Payments Inc.
2. Check if the appearance of AMP 6700 is altered, if can find
some trace, please reject the device.
3. Check if something overlay the Keypad in order to prevent
overlay attack.
4. Check if the magnetic reader slot has other reader or some
bugger, if found, reject the device.
4.4 Pin Shield checking guide
For the security using of AMP 6700, every day before using the
device, operator must inspect the pin shield as follow:
1. Tilt the device to the angle as the following pictures, to view the
area between keypad and Pin Shield area. If there are some
barriers in, the device can not be used.
2. Check if the Pin Shield is the same as follow pictures, if not, the
device can not be used.
3. Check the area around the Pin Shield, if there is some obstacle
or the Pin Shield seems being changed, the device can not be
used.
4.5 ICC shim checking guide
For the security using of AMP 6700, every day before using the
device, operator must inspect the ICC slot.
1. Tilt the device to a little angle to view the inside of the slot. If
there are some barriers in, the device can’t be used.
2. Insert an IC card, check if the card is inserted smoothly, without
any obstacles.
4.5 Second MSR checking guide
For the security using of AMP 6700, every day before using the
device, operator must inspect the magnetic reader slot.
1. Check if the shape and appearance of the guide is the same as
follow picture, if not, reject the device.
2. Tilt the device to an angle to view the gap of the magnetic reader
slot. If there are more than one MSR, reject the device.
3. Tilt the device to an angle to view the appearance and the guide
of the magnetic card slot, if there is some evidence for cutting or
polishing, reject the device.
4. Check if the card is streaked as normally, without any obstacles
when using.
4.6 Change Default Values
When manufacturing in factory, the device of AMP 6700 is set to
default password. So for security, when shipping the device to
customer, the administrator must re-set a valid password to replace
the default password.
When updating the firmware, the passwords must be changed
otherwise cannot run any application and others service.
The default passwords are as following:
1. ADMIN1 Password: 1234567
2. ADMIN2 Password: 7654321
When changing, the new passwords cannot be the same to the old
passwords.
4.7 Installation Guidance
User should refer user manual before installation this device.
The device consists of following items:
1 Device
1 Power adaptor
User manual
All software is installed before deliver to end user. So, user can use
PIN entry normally.
This device is an attended desk-mounted POS and it provided a
privacy shield. The customer should be advised to cover by his
body to take care it is not overlooked behind his back when
entering PIN code.
The AMP 6700 is designed to be an attended desk-mounted POS.
Before using, please check if the origin that providing the AMP
6700 device is authorized, check if the appearance of AMP 6700 is
altered, check if the ICC card slot has wire out or something that
suspicious, check if the magnetic card reader slot has other reader
or some bugger, check if there something or bugger around the Pin
shield area, if found, reject the device. If you find the above
problems, please refuse to use.
4.8 Configuration Setting
The AMP 6700’s firmware does not need any configuration setting.
4.9 Sensitive Roles
The customers of the Advanced Mobile Payments Inc are acquirers.
Advanced Mobile Payments sells devices to acquirers and provides
maintainenace and technique support. The Acquirer sells devices
to the end-users and service to the end-users. Advanced Mobile
Payments Inc, the acquirer and end-users play different roles in
operating device as shown in table below:
role Operation
acquirers Administrator 1. Organize the third party to developed application.
2. Download application and inject customer public key
3. Access to devices sensitive services
End-users operate Perform transaction
Advanced
Mobile
Payments
Inc
maintainer 1. Sign customers public key
2. Repair devices and unlock the devices if tampered
Table Different roles and operations
4.10 Update/Download
Customers can download the latest firmware by OTA. The system
will start background service 5 minutes later after it boots. Then, the
service will detect remote server if there is a new firmware version
under the good network condition. If there is a new version, the
system will pop up a system update notification to prompt the user.
Additionally, we use TSLv1.2 protocol to transmit data when it
updates. During the TSL handshake process, POS terminal will
authenticate the server firstly as the POS terminal owns server's
certificate. After the authentication is approved, a secure channel
will be established to ensure the security of the data in the
downloading process. When the download is complete, the integrity
of the download firmware will be checked by SHA256.
After firmware is downloaded, old firmware in the terminal will
immediately verify whether the signature is legal. Any non-signed
firmware will be considered as unauthorized, and cannot be
updated. Terminal type information is already contained in firmware,
and firmware will also choose whether it could work in existing
terminal. If terminal type is not compatible, firmware will not be
updated. When firmware update is completed, restart POS again,
and new firmware version will be shown.
4.11 Software develop Guidance
When developing applications, the developer must respect the
guidance described in the document [6].
4.11.1 The development process
During the software development, the following steps must be
implemented:
1. Software development/programming according to
requirement;
2. After the software development, developer must take
functional test (self-test);
3. Code review, audit, and digital signature;
4. Undergo a full testing (detailed test);
5. If some bugs are found, the tester will feed back to the
relevant developer to fix up;
6. Only after the testing and passed, can the software be
released to production.
4.11.2 SRED applications development
1. Account data read from IC, magnetic stripe card must be
encrypted at once.
2. The plain-text account data can not output of the device.
3. After transaction or time out or other abort, the plain-text
account data must be deleted immediately.
4.11.3 SSL applications development
For SSL application development and the compliance with PCI PTS,
The following points need to take attention.
1. The client must authenticate the CA authenticate and client
authenticate.
2. The cipher suite of the server which terminal connects should
be as secure as TLS_RSA_WITH_AES_128_CBC_SHA or
securer.
3. The server which terminal connects should be configured to
require Client Authenticate.
4. Use TLS v1.2 or higher.
5. Application developer must use SHA-256 on top of the
security
6. Protocol when it is being used for security functionality.
7. Application developer can get the security guidance from
Advanced Mobile Payments Inc website.
4.12 Application Authentication
Application can be updated and downloaded into the device in a
cryptographically authenticated way. The software is digitally
signed with an IC card and a PC tool which provide by vendor. The
third-part developer can apply to vendor for signature IC card, after
get the signature IC card, by using PC tool, third-part developers
can generate their RSA private keys, export public keys and send
to vendor for sign the public key, after vendor sign them,
developers can import signed public key into signature IC card,
finally developers can use this signature IC card to sign their
applications. Third-part developers Private Key and Public Key
Certificate are stored in the signature IC card. For the security of
Private Key storage, Private Key cannot be read from the signature
card. During the program signature, signature card use the Private
Key to encrypt the data that need to be signed and generate 256
bytes of signature data.
When download application, the device will authenticate the
signature of application, only authenticate successfully the
application can be installed.
4.13 Manufacture Guidance
Manufactures should be use the PCI PTS approved hardware and
firmware for AMP 6700 production. In order to for this, the
manufactures validate the hardware and firmware version by using
the PCI PTS approved. The hardware and firmware version details
refer to section 3.2, 3.3 and 3.4.
5 Key Management
5.1 Key Management systems
1. AMP 6700 supports the following key systems:
Fixed key
MK/SK key
DUKPT
MK/SK key, a master key and session key hierarchy. The
Session Keys are encrypted/decrypted by Master Keys.
DUKPT, the technique is based on a unique key per transaction.
2. AMP 6700 supports the following cryptographic algorithms:
TDES(112 bits and 168 bits)
SHA-256(digest signature, 256 bits)
RSA-2048(signature verification, mutual authentication,2048
bits)
3. AMP 6700 supports the following symmetric key types:
TMK: Terminal master key. It’s generated by the acquirer
and used to decrypt the MAC key, the PIN key.
TPK: Terminal PIN encryption key. It’s generated by the
acquirer and used to generate the PIN BLOCK.
TAK: Terminal MAC encryption key. It’s generated by the
acquirer and used to calculate the MAC value.
TDK: Terminal Account data encryption key, it is generated
by the acquirer and used to encrypt account data (SRED).
5.2 Key Loading
When the product are manufactured, The initial keys including TMK,
Fixed key and initial DUKPT are injected into AMP 6700 under dual
control and split knowledge in security environment.
And the working keys including TPK, TAK and TDK that are
encrypted by TMK are downloaded into AMP 6700 in logon
transaction.
The key loading method for application is referenced in ANSI X9
TR-31-2010.
5.3 Key Replacement
Keys should be removed from the device whenever the
compromise of the original key is known or suspected, and
whenever the time deemed feasible to determine the key by
exhaustive attack elapses. Keys can be removed by the sensitive
service of “Clear Key” in AMP 6700’s menu. After key removal, the
device should return to Key Injection facility for the secure key
loading. The key must be review for every 2 years to see whether
the key should be replace with the new key to avoid exhaustive
attack.
5.4 Key Table
Key Name Purpose Algori
thm
Size Storag
e
Master Key Decryption of session
keys ( PEK, MAC)
TDES 128/192
bits
The
key
was
encrypt
by
SIEK
and the
cipher-t
ext
was
saved
in file
system
PIN Key Online PIN encryption
key
TDES 128/192
bits
MAC Key Message authentication TDES 128/192
bits
EAK Encrypt account data. TDES 128/192
bits
Fixed MAC
key
Message authentication TDES 128/192
bits
Fixed PIN
key
Online PIN encryption
key
TDES 128/192
bits
Fixed EAK Encrypt account data. TDES 128/192
bits
DUKPT
Key
Online PIN encryption
key and Message
authentication
TDES 128/192
bits
5.6 Key removal
If tamper event is detected, all the keys in the device will be erased
automatically.
After the keys are loaded to device, they will be available until
administrator wants to erase all keys for decommissioning or
tampering detected.
6 Device Maintenance
1. Decommissioning/Removal
Permanent removal
When the device is no longer used, it can be decommissioned
and removed from service. And then must remove all the key
material that used to decrypt any sensitive data.
Decommissioning
To decommissioning your device, merchants should return the
device to acquirer or vendor, they will reset all the payment keys
by using key loader. Disassemble device will make device to
tamper status, which will also erase all payment keys and
decommission your device.
Temporary removal
If just temporary removal, it’s not need to remove the keys.
2. Tamper-Response
When the device is tampered, some tampered information you
can see from LCD display, you can contact your authorized
service or Advanced Mobile Payments Inc to maintain it.
7 Vulnerability Detection and Follow-up Action
When new vulnerabilities, threats or bugs are detected via public
resource or the customers, Advanced Mobile Payments Inc
performs analysis to see if the new vulnerabilities, threats or bugs
may impact on the AMP 6700 security. Advanced Mobile Payments
Inc contacts PCI lab and gets consulted if there is a delta evaluation
is necessary.
Advanced Mobile Payments Inc will update to the higher Android
version if the Google stop producing security updates for the
version that AMP 6700 use. Then Advanced Mobile Payments Inc
contacts PCI lab to consult if there is a delta evaluation is
necessary.
If the vulnerabilities, threats or bugs impact on the AMP 6700
security, AMP 6700 immediately informs customers of the
vulnerabilities, threats or bugs analysis result via e-mail and send
the patch to the customers. If Hardware change needs to be
involved to fix the issue, customers should return their AMP 6700
devices to AMP 6700 manufacturing facility for the repair.
When a new vulnerability occurs, Advanced Mobile Payments Inc’s
security team will send a vulnerability notification email to the
customers (especially their security managers).
Bug report contact with Advanced Mobile Payments Inc email:
support@Advanced Mobile Payments Inc.com
8 Tamper Detection and Response
8.1 Tamper Trigger Events
Front case removal
Back case removal
Physical penetration on all the sides of the device
MSR connector removal
Temperature is > 125˚C or < -45˚C.
Supply voltage is outside of range, appropriate 2.0 < V < 3.63
Stored sensitive data authentication failed during the Self-test
8.2 Tamper Response
Remove the stored key file.
Make the device unavailable and display the attack source
information on the screen.