PCI 3.1 and TLS 1.2

08 May 2016

pci security tls

The newest revision of the PCI Security Standards Council policy, PCI-DSS 3.1, establishes a new baseline for strong cryptography, specifically TLS (formerly SSL), required to secure payment card related traffic – TLS 1.2.

This post covers PCI recommendations, information how to check your current SSL/TLS configuration and how to prepare your .NET applications for TLS 1.2

Recommendations

CloudFlare page that tracks PCI 3.1 and TLS 1.2 announcements and summarize recommendations:

https://support.cloudflare.com/hc/en-us/articles/205043158-PCI-3-1-and-TLS-1-2

PCI documents library

https://www.pcisecuritystandards.org/documentlibrary?category=pcidss&document=pcidss

PCI document summarizing information regarding migration from SSL and early TLS versions to TLS 1.2

https://www.pcisecuritystandards.org/documents/MigratingfromSSLEarlyTLSInformation%20Supplementv1.pdf

NIST TLS recommendations

http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r1.pdf

Check your configuration

You can use Qualys SSL labs to check you SSL/TLS certificate information. This tool is used by Troy Hunt in his various articles, for example: Do you really want “bank grade” security in your SSL? Here’s how Aussie banks fare, Disabling SSL 3 in Azure websites, Everything you need to know about the POODLE SSL bug and Troy’s ultimate list of security links

To check your server or your pc SSL/TLS configuration on Windows you can use Windows Registry directly or use this free IIS Crypto tool that provides GUI for all those settings.

Configure your apps

In order to configure your .NET apps to support TLS 1.2 you will have to update your .NET framework to version 4.5 and run following code when application starts

System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;

You can allow multiple versions of the SSL/TLS protocol at once:

System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12;

You can also change Windows Registry settings to overrite default behaviour, but I find the code version more suitable.

Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 
Value: SchUseStrongCrypto 

With windows registry based solution you need to change different keys for 32 and 64 .NET versions and you introduce external dependency to your app.

More information can be found in this StackOverflow article and in following posts from John Louros blog: Enabling strong cryptography for all .Net applications, Disabling cryptographic protocols for PCI compliance (focused on SSL 3.0 and TLS 1.0).

NOTE: Retargetting nuget packages
You may find following StackOverflow article handy during .NET framework version change: Retargeting solution from .Net 4.0 to 4.5 - how to retarget the NuGet packages?


Disclaimer: The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.