PCI DSS Uyumluluğu için SSL Kontrolleri

PCI DSS nedir?

PCI DSS (Ödeme Kartları Endüstrisi Veri Güvenliği Standardı), kartlı ödeme sistemlerinde veri güvenliğini sağlama amacıyla American Express, JCB, DFS, MasterCard Worldwide ve Visa International katılımıyla oluşturulmuş komite tarafından geliştirilmiş bir standarttır. Diğer standartlardan farklı olarak PCI DSS standart maddelerinde detaylı bilgilendirme yapmaktadır.

PCI DSS, kartlı sistemler üzerindeki işlem sayısına göre firmalar farklı kategorilerde sınıflandırılmış  ve her kategori için sorumluluklar belirlenmiştir. Bu sorumluluklardan biri de yılda 4 kere uzaktan güvenlik testi gerçekleştirmektir.

PCI güvenlik testlerinde firmalar genellikle yapılandırılması unutulmuş SSL sunucular yüzünden başarısız çıkmaktadır. PCI açıkca güçlü şifreleme ve algoritma kullanımı istemektedir.[1]

1)PCI tarama sonuçlarının FAIL çıkmasına sebep olan SSL hatalarından ilki sunucu sistemlerin düşük seviyeli SSL protokol desteğidir.

PCI taramalarında SUCCESS almak için sunucu sistemlerin SSLv2 desteğini kaldırmak gerekir.

SSL v2 desteği olup olmadığı aşağıdaki komutla anlaşılabilir.

openssl s_client -ssl2 -connect mail.lifeoverip.net:443

Eğer destekliyorsa aşağıdaki gibi bir çıktı alırsınız

# openssl s_client -ssl2 -connect mail.lifeoverip.net:443
CONNECTED(00000003)
depth=0 /C=TR/ST=IStanbul/O=Lifeoverip Consultant Services/OU=Security/CN=*.lifeoverip.net/emailAddress=bilgi@lifeoverip.net
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=TR/ST=IStanbul/O=Lifeoverip Consultant Services/OU=Security/CN=*.lifeoverip.net/emailAddress=bilgi@lifeoverip.net
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=TR/ST=IStanbul/O=Lifeoverip Consultant Services/OU=Security/CN=*.lifeoverip.net/emailAddress=bilgi@lifeoverip.net
verify error:num=21:unable to verify the first certificate
verify return:1

Server certificate
—–BEGIN CERTIFICATE—–
MIIC2jCCAkOgAwIBAgICEAEwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UEBhMCVFIx
ETAPBgNVBAgTCElTdGFuYnVsMScwJQYDVQQKEx5MaWZlb3ZlcmlwIENvbnN1bHRh
bnQgU2VydmljZXMwHhcNMDkwODE0MDgzNjEyWhcNMTAwODE0MDgzNjEyWjCBnjEL
MAkGA1UEBhMCVFIxETAPBgNVBAgTCElTdGFuYnVsMScwJQYDVQQKEx5MaWZlb3Zl
cmlwIENvbnN1bHRhbnQgU2VydmljZXMxETAPBgNVBAsTCFNlY3VyaXR5MRkwFwYD
VQQDFBAqLmxpZmVvdmVyaXAubmV0MSUwIwYJKoZIhvcNAQkBFhZodXpleWZlQGxp
ZmVvdmVyaXAubmV0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8433eaY2z
oldD/atJnE/YAxNVw4l/lnql4xRRlMSj6sN5K4pcATnNTCkmfz+RPexPrD5jTnGH
eg5pF+CQunncz4H7GoDKTUyK3PXDpGonpNojiHdOwdI+Pxos1yXlLkhPPPl39xR7
1eUbY8wKh0RI//YI/MgIkIz7SQg7Rtl1RwIDAQABo3sweTAJBgNVHRMEAjAAMCwG
CWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNV
HQ4EFgQUM7jCWgiS52RdJeVt9QiomzcKv74wHwYDVR0jBBgwFoAUE/blhkjr5WqK
zLxyKHUNOIkgKEUwDQYJKoZIhvcNAQEFBQADgYEAlrClCM4OwHIVuY+Z1lucHOo7
KO8CV4AZsPipH0rzjKYHAuPJEM4hOeBhjXIpO1wLPEHMbmRtLZOTqjaSCzgWA4/E
kML844DDK2WA6FvK+HMLfMbJrcUJlSD7BWbNTnd2IvStEFNP3xo2GSb5/kPdGSkq
N7zr4BWHycxZuZrLEQI=
—–END CERTIFICATE—–
subject=/C=TR/ST=IStanbul/O=Lifeoverip Consultant Services/OU=Security/CN=*.lifeoverip.net/emailAddress=bilgi@lifeoverip.net
issuer=/C=TR/ST=IStanbul/O=Lifeoverip Consultant Services

No client certificate CA names sent

Ciphers common between both SSL endpoints:
RC4-MD5 EXP-RC4-MD5 RC2-CBC-MD5
EXP-RC2-CBC-MD5 DES-CBC-MD5 DES-CBC3-MD5

SSL handshake has read 867 bytes and written 236 bytes

New, SSLv2, Cipher is DES-CBC3-MD5
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv2
Cipher : DES-CBC3-MD5
Session-ID: 5651A7532DB332322B3548828C9AF587
Session-ID-ctx:
Master-Key: CAA483ED155699A74A1CB589D93E5BC46AE96AB55B1C5134
Key-Arg : F5C117634219AE91
Start Time: 1268818051
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)

SSLv2 desteklemiyorsa aşağıdaki gibi çıktı alırsınız.

# openssl s_client -ssl2 -connect www.citibank.com:443
CONNECTED(00000003)
9853:error:1406D0CB:SSL routines:GET_SERVER_HELLO:peer error no cipher:s2_pkt.c:675:
9853:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt.c:428:

Apache’de SSLv2 desteğini çıkarma

httpd.conf ya da ssl ayarları hangi dosyada tutuluyorsa(genelde ssl.conf) ilgili dosyaya aşağıdaki satırları ekleyip Apache’yi restart etmek yeterli olacaktır.

SSLProtocol -ALL +SSLv3 +TLSv1

Bu komutla sunucunun sadece SSLv3 ve TLSv1 desteklemesini söylüyoruz.
2)PCI Taramalarında FAIL çıkaran SSL’le ilgili diğer konu da zayıf şifreleme algoritmalarının kullanımıdır
Zayıf şifreleme algoritmalarının kullanımı aşağıdaki komutla öğrenilebilir
openssl s_client -connect www.visa.com:443 -cipher LOW:EXP

Eğer sistem zayıf şifreleme algoritmalarını destekliyorsa sonuç aşağıdaki gibi çıkacaktır.

~# openssl s_client -connect www.visa.com:443 -cipher LOW:EXP
CONNECTED(00000003)
depth=0 /C=US/O=Akamai Technologies, Inc./CN=a248.e.akamai.net
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=US/O=Akamai Technologies, Inc./CN=a248.e.akamai.net
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=US/O=Akamai Technologies, Inc./CN=a248.e.akamai.net
verify error:num=21:unable to verify the first certificate
verify return:1

Certificate chain
0 s:/C=US/O=Akamai Technologies, Inc./CN=a248.e.akamai.net
i:/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root

Server certificate
—–BEGIN CERTIFICATE—–
MIIDWjCCAsOgAwIBAgIEBydSYTANBgkqhkiG9w0BAQUFADB1MQswCQYDVQQGEwJV
UzEYMBYGA1UEChMPR1RFIENvcnBvcmF0aW9uMScwJQYDVQQLEx5HVEUgQ3liZXJU
cnVzdCBTb2x1dGlvbnMsIEluYy4xIzAhBgNVBAMTGkdURSBDeWJlclRydXN0IEds
b2JhbCBSb290MB4XDTA5MTEyNDIwMTQ0N1oXDTEwMTEyNDIwMTMyN1owTTELMAkG
A1UEBhMCVVMxIjAgBgNVBAoTGUFrYW1haSBUZWNobm9sb2dpZXMsIEluYy4xGjAY
BgNVBAMTEWEyNDguZS5ha2FtYWkubmV0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
iQKBgQDtWQuRdxfiWh+tkAt3jM7GO3fjGUczR+z+lJzOXR/N8vO4z/8EdsMAEQxX
rPjucJJVg3mzqjC9e95XJUv8O56N1k61FspmhgFSuCjuYRB9BpH2boFYJexeDidV
fjuUzslfba9WDhZibr/frOLUScTLQbR2ob8fzLaAcylKintkkQIDAQABo4IBHTCC
ARkwCQYDVR0TBAIwADAsBgNVHREEJTAjghFhMjQ4LmUuYWthbWFpLm5ldIIOKi5h
a2FtYWloZC5uZXQwCwYDVR0PBAQDAgUgMIGJBgNVHSMEgYEwf6F5pHcwdTELMAkG
A1UEBhMCVVMxGDAWBgNVBAoTD0dURSBDb3Jwb3JhdGlvbjEnMCUGA1UECxMeR1RF
IEN5YmVyVHJ1c3QgU29sdXRpb25zLCBJbmMuMSMwIQYDVQQDExpHVEUgQ3liZXJU
cnVzdCBHbG9iYWwgUm9vdIICAaUwRQYDVR0fBD4wPDA6oDigNoY0aHR0cDovL3d3
dy5wdWJsaWMtdHJ1c3QuY29tL2NnaS1iaW4vQ1JMLzIwMTgvY2RwLmNybDANBgkq
hkiG9w0BAQUFAAOBgQAKdzAWm4SCZGw3z9gox1Enz6FZCOlHf73HhLNEnkpI4jIJ
dhz1OGm0DJzZJXrmFMZ5StNZqPpXDnbSV5geLHK6pYquRNCmTK/jmrH1Jk6mY1EM
d/osKHfVqwLmQ3xND3K2W/bq5s571hP9IotRODQQftwUzU5W5Qi89Jzt60QLGA==
—–END CERTIFICATE—–
subject=/C=US/O=Akamai Technologies, Inc./CN=a248.e.akamai.net
issuer=/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root

No client certificate CA names sent

SSL handshake has read 1016 bytes and written 275 bytes

New, TLSv1/SSLv3, Cipher is DES-CBC-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DES-CBC-SHA
Session-ID: D9F96C901688BEFAD153B09E11F8592B71957EE67F7DFF192EDAB2121CDD2205
Session-ID-ctx:
Master-Key: E2020445BE3D6F2D72953B88077A6E1CA495FA40E62D2DFA214E367D01D828BBB8F93FA20B874EB37834A80ED41D3C1E
Key-Arg : None
Start Time: 1268818538
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)

Zayıf şifreleme algoritmalarını desteklemeyen bir sunucu aşağıdaki gibi çıktı verecektir.

~# openssl s_client -connect abc.sirket.com.tr:443 -cipher LOW:EXP
CONNECTED(00000003)
9857:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:

Apache’de zayıf şifreleme algoritmalarını kapatmak için

httpd.conf ya da ilgili ssl dosyasına aşağıdaki satırlar eklenerek Apache restart edilmelidir.

SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

Bilgisayarınızda openssl yüklü değilse burada anlatılan işlemleri clez.net sayfası üzerinden kolaylıkla deneyebilirsiniz. Ya da Linux sistemlere sslscan yazılımı kurarak hedef sunucuda hangi zayıf şifreleme algoritmaları kullanılmış belirleyebilirsiniz.

~# sslscan www.citibank.com:443
_
___ ___| |___ ___ __ _ _ __
/ __/ __| / __|/ __/ _` | ‘_
__ __ __ (_| (_| | | | |
|___/___/_|___/_____,_|_| |_|

Version 1.6
http://www.titania.co.uk
Copyright (C) 2007-2008 Ian Ventura-Whiting

Testing SSL server www.citibank.com on port 443

Supported Server Cipher(s):
Rejected SSLv2 168 bits DES-CBC3-MD5
Rejected SSLv2 56 bits DES-CBC-MD5
Rejected SSLv2 40 bits EXP-RC2-CBC-MD5
Rejected SSLv2 128 bits RC2-CBC-MD5
Rejected SSLv2 40 bits EXP-RC4-MD5
Rejected SSLv2 128 bits RC4-MD5
Failed SSLv3 256 bits ADH-AES256-SHA
Failed SSLv3 256 bits DHE-RSA-AES256-SHA
Failed SSLv3 256 bits DHE-DSS-AES256-SHA
Failed SSLv3 256 bits AES256-SHA
Failed SSLv3 128 bits ADH-AES128-SHA
Failed SSLv3 128 bits DHE-RSA-AES128-SHA
Failed SSLv3 128 bits DHE-DSS-AES128-SHA
Failed SSLv3 128 bits AES128-SHA
Failed SSLv3 168 bits ADH-DES-CBC3-SHA
Failed SSLv3 56 bits ADH-DES-CBC-SHA
Failed SSLv3 40 bits EXP-ADH-DES-CBC-SHA
Failed SSLv3 128 bits ADH-RC4-MD5
Failed SSLv3 40 bits EXP-ADH-RC4-MD5
Failed SSLv3 168 bits EDH-RSA-DES-CBC3-SHA
Failed SSLv3 56 bits EDH-RSA-DES-CBC-SHA
Failed SSLv3 40 bits EXP-EDH-RSA-DES-CBC-SHA
Failed SSLv3 168 bits EDH-DSS-DES-CBC3-SHA
Failed SSLv3 56 bits EDH-DSS-DES-CBC-SHA
Failed SSLv3 40 bits EXP-EDH-DSS-DES-CBC-SHA
Accepted SSLv3 168 bits DES-CBC3-SHA
Accepted SSLv3 56 bits DES-CBC-SHA
Failed SSLv3 40 bits EXP-DES-CBC-SHA
Failed SSLv3 40 bits EXP-RC2-CBC-MD5
Failed SSLv3 128 bits RC4-SHA
Accepted SSLv3 128 bits RC4-MD5
Failed SSLv3 40 bits EXP-RC4-MD5
Failed SSLv3 0 bits NULL-SHA
Failed SSLv3 0 bits NULL-MD5
Rejected TLSv1 256 bits ADH-AES256-SHA
Rejected TLSv1 256 bits DHE-RSA-AES256-SHA
Rejected TLSv1 256 bits DHE-DSS-AES256-SHA
Rejected TLSv1 256 bits AES256-SHA
Rejected TLSv1 128 bits ADH-AES128-SHA
Rejected TLSv1 128 bits DHE-RSA-AES128-SHA
Rejected TLSv1 128 bits DHE-DSS-AES128-SHA
Rejected TLSv1 128 bits AES128-SHA
Rejected TLSv1 168 bits ADH-DES-CBC3-SHA
Rejected TLSv1 56 bits ADH-DES-CBC-SHA
Rejected TLSv1 40 bits EXP-ADH-DES-CBC-SHA
Rejected TLSv1 128 bits ADH-RC4-MD5
Rejected TLSv1 40 bits EXP-ADH-RC4-MD5
Rejected TLSv1 168 bits EDH-RSA-DES-CBC3-SHA
Rejected TLSv1 56 bits EDH-RSA-DES-CBC-SHA
Rejected TLSv1 40 bits EXP-EDH-RSA-DES-CBC-SHA
Rejected TLSv1 168 bits EDH-DSS-DES-CBC3-SHA
Rejected TLSv1 56 bits EDH-DSS-DES-CBC-SHA
Rejected TLSv1 40 bits EXP-EDH-DSS-DES-CBC-SHA
Accepted TLSv1 168 bits DES-CBC3-SHA
Accepted TLSv1 56 bits DES-CBC-SHA
Rejected TLSv1 40 bits EXP-DES-CBC-SHA
Rejected TLSv1 40 bits EXP-RC2-CBC-MD5
Rejected TLSv1 128 bits RC4-SHA
Accepted TLSv1 128 bits RC4-MD5
Rejected TLSv1 40 bits EXP-RC4-MD5
Rejected TLSv1 0 bits NULL-SHA
Rejected TLSv1 0 bits NULL-MD5

Prefered Server Cipher(s):
SSLv3 128 bits RC4-MD5
TLSv1 128 bits RC4-MD5

SSL Certificate:
Version: 2
Serial Number: -4294967295
Signature Algorithm: sha1WithRSAEncryption
Issuer: /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA
Not valid before: Jun 17 00:00:00 2009 GMT
Not valid after: Jun 17 23:59:59 2011 GMT
Subject: /1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/2.5.4.15=V1.0, Clause 5.(b)/serialNumber=2154254/C=US/postalCode=10043/ST=New York/L=New York/streetAddress=399 Park Avenue/O=Citigroup Inc./OU=swcbweb5-www/CN=www.citibank.com
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:c8:4a:cf:15:2e:60:3b:07:ca:02:7b:6a:dc:4d:
de:1c:6d:10:8b:23:99:3e:e5:91:06:17:16:1e:2b:
1d:7e:28:ab:30:3c:be:67:50:2f:4e:78:c8:6c:f3:
bf:36:5b:a9:41:43:5e:cc:e1:4a:c4:40:2f:6e:4e:
a8:d9:8d:1f:10:bd:f0:28:ef:49:b2:b8:db:8c:90:
f5:08:49:b6:f8:9c:53:5b:69:cf:78:bf:de:e3:e1:
8f:2d:2b:9a:0c:e6:8b:d2:61:8f:55:ab:15:04:c5:
fa:35:66:22:3b:cd:bf:f6:f0:51:2c:6f:b4:6f:ab:
03:6c:10:ca:18:53:da:e8:b8:ec:b0:49:85:73:79:
48:a9:a6:f3:44:db:28:62:aa:b7:f0:cd:67:2a:eb:
d3:53:f3:83:55:b3:85:5d:52:71:5d:a2:96:b2:7e:
88:f5:c1:ef:40:07:4e:4d:91:2b:8c:14:3e:dd:76:
91:fe:a9:97:fa:52:01:5a:43:10:c2:27:c5:75:fe:
6a:03:53:d8:42:f5:67:f1:82:99:3e:48:a2:e1:da:
45:c4:1b:7e:f4:71:b6:5c:4e:d7:b0:5c:86:60:2e:
e4:07:83:a4:99:8f:68:f5:e6:8c:6d:d2:37:ba:fb:
db:a5:ea:28:07:d9:eb:ce:43:10:1b:35:34:01:0d:
b8:9f
Exponent: 65537 (0×10001)
X509v3 Extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
D3:DD:0C:1D:B5:42:E5:83:2A:2C:67:60:EE:C9:21:C8:19:D5:64:6D
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 CRL Distribution Points:
URI:http://EVIntl-crl.verisign.com/EVIntl2006.crl

X509v3 Certificate Policies:
Policy: 2.16.840.1.113733.1.7.23.6
CPS: https://www.verisign.com/rpa

X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto
X509v3 Authority Key Identifier:
keyid:4E:43:C8:1D:76:EF:37:53:7A:4F:F2:58:6F:94:F3:38:E2:D5:BD:DF

Authority Information Access:
OCSP – URI:http://EVIntl-ocsp.verisign.com
CA Issuers – URI:http://EVIntl-aia.verisign.com/EVIntl2006.cer

1.3.6.1.5.5.7.1.12:
0`.^.Z0X0V..image/gif0!0.0…+……Kk.(…..R8.).K..!..0&.$http://logo.verisign.com/vslogo1.gif
Verify Certificate:
self signed certificate in certificate chain

 

[PCI-DSS] 4.1 Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks.

Examples of open, public networks that are in scope of the PCI DSS are:

* The Internet,
* Wireless technologies,
* Global System for Mobile communications (GSM), and
* General Packet Radio Service (GPRS).

4.1.a Verify the use of encryption (for example, SSL/TLS or IPSEC) wherever cardholder data is transmitted or received over open, public networks

* Verify that strong encryption is used during data transmission
* For SSL implementations:
o Verify that the server supports the latest patched versions.
o Verify that HTTPS appears as a part of the browser Universal Record Locator (URL).
o Verify that no cardholder data is required when HTTPS does not appear in the URL.
* Select a sample of transactions as they are received and observe transactions as they occur to verify that cardholder data is encrypted during transit.
* Verify that only trusted SSL/TLS keys/certificates are
* Verify that the proper encryption strength is implemented for the encryption methodology in use. (Check vendor recommendations/best practices.)