Whenever there is information that needs to be protected and protected there is a need to use cryptographic solutions, and PoS is not the exception.
When we analyze the security of point of sale applications (Point of Sale or PoS software for trading Crypto), we must take into account the necessary presence of magnetic strips and cardholder data, which are extremely sensitive information – both for the holder and for the entity financial institution that grants it.
In any space where there is information that needs to be protected and protected, there is an urgent need to use cryptographic solutions, originating in war camps and capable of protecting the confidentiality and integrity of these data. It does not reach with the usufruct of certain safety protocols, but also its correct application and fine-tuning prevail, customizing them both at a software and hardware level.
As is to be expected, cryptography is an essential part of the PoS, as well as any other means of digital payment that is used today. Complementing the pillars of confidentiality and integrity, authentication and non-repudiation come into play, that is, an operation does not allow the user to ignore it.
In the terminals, three groups of cryptographic algorithms converge, which are used in heterogeneous technologies, where they intermingle with each other and with different architectures inside the PoS devices. Each of these groups has advantages and disadvantages with respect to each other.
The main points where we can distinguish large differences are linked to the consumption of resources, speed, and even the ease of implementation in the different sections that have the PoS devices. Depending on the way of saving a key, the way to encrypt the communication between two points or even the degree of security that is needed will be the way in which one of the algorithms mentioned below is implemented:`
- Symmetric algorithms:
The same key is shared for encryption and decryption of information. This algorithm is very fast, but at the same timeless “safe” and you need yes or yes that both parties have already exchanged their key or password to start the communication. For pointing out some examples of symmetric cryptography we can name the algorithms of 3DES (Triple Data Encryption) and AES (Advanced Encryption Standard).
- Asymmetric algorithms:
They contain two keys, that is, a public key and a private key. In this way, it cannot be used for the encryption and decryption of information. Both keys are generated at the same time as the private one, which is the one that will be used to read, and the public one is distributed, which is the one that will be used to write encrypting the communication.
Two widely used examples of asymmetric cryptography or PKI (Public Key Infrastructure) are emails sent by PGP / GPG (Pretty Good Privacy) or network traffic encrypted with SSL / TLS (Security Socket Layer and Transport Layer Security), widely used in transactional sites or that require the entry of credentials.
- One-way algorithm (hash):
These functions capture the information of a variable length and generate an output commonly called fixed-length hash based on this input. These functions used in cryptography have the property of being easily calculable, therefore they are widely used to save passwords since it is difficult in many cases to regenerate the original entry if only the value of the hash is known.
If we talk about encryption algorithms, size does matter
A general rule for all encryption algorithms is “the bigger the better”. This is because the simplest way to attack the cipher is a brute-force attack, testing all possible combinations of the bits until finally the searched string is found. With the data-processing capabilities of modern computers, it is possible to perform brute force with relatively long multi-bit keys.
For example, DES with a 56-bit key (2 to 56 possible combinations) can be broken in less than a day. However, adding more bits to the chain will exponentially increase the time required for cracking. The algorithms of hashes more used are MD5 (128 bits) and SHA1 (160 bits) that curiously turn out to be a little robust in questions of security in comparison with Triple DES or AES, which are recommended by the NSA.
The diversity in the different units of PoS terminals, both in modular and compact equipment, will continue to increase and telecommunications technologies also accompany this constant evolution, generating higher rates of speed and availability. However, cryptographic algorithms in many cases do not accompany the development of PoS devices from the initial stage of design, thus leaving a window through which cybercriminals are able to corrupt systems and subtract different types of information.
In future posts, we will investigate how malicious codes are able to overcome these cryptography processes in payment terminals or PoS applied in some specific layers, in order to capture sensitive information.