nav2011.jpg
 
 

BLU3 Technologies has multiple certified TG-3 (CTGA) auditors on staff.  Our auditors not only have a strong understanding of the audit process, but they also have a background in network security and data encryption.  The TG-3 audit scope includes a review of:

  • General security procedures and controls

  • Tamper resistant security module management and controls

  • General key management and controls

  • Additional key management procedures

  • Asymmetric control objectives

The following provides an overview of our basic TG-3 audit coverage but should not be considered an all inclusive list of all areas covered during our audit. 

General security procedures and controls:

  • Secure environment for PINs and keys

  • Pin entry

  • ANSI approved PIN block formats

  • PIN encryption

  • PIN disclosure procedures

  • Prevention of PIN entry observation

Tamper resistant security module management (TRSM) and controls:

  • Inspection for potential TRSM tampering

  • TRSM evaluation criteria

  • Proper TRSM operation

  • Prevention of TRSM misuse

  • Preload TRSM inspection to detect TRSM modification

  • Protection of stored TRSM

  • PIN exhaustive attack detection (logging)

  • Key exhaustive attack detection (logging)

  • TRSM removal procedures

General key management and controls:

  • Key component protection

  • Key generation

  • Combining key components within a TRSM

  • Combining key components using XOR

  • Transportation of key components

  • Protection of key components

  • Key transportation using a key loading device

  • Protection of key component transfer

  • Unique keys per device

  • Unique keys per communicating pair

  • Approved symmetric key forms

  • Unique key per function (use)

  • Limited key use locations

  • Procedure for compromised keys

  • Discontinued keys

  • Key media destruction

  • Archived key reconstruction

  • Key bundle security

  • Methods of key management

 Additional key management procedures:

  • Key check value length

  • Key check value calculation

  • Undue influence over key custodian

  • Segregation of production and non-production keys

  • Non-retention of emitted clear-text key(s)

 Asymmetric control objectives (if applicable):

  • Public key authentication

  • Key agreement and symmetric key generation

  • Bilateral transport for symmetric key creation

  • Key transport protocol

  • Trust domains

  • Two-party public key trust

  • Three-party public key trust

  • Asymmetric key management control objectives

  • Mutual authentication management control objectives

  • Credential management control objectives













 


 
 

Copyright  2012 BLU3 Technologies Incorporated
All Rights Reserved