This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "ProblemsCBCModeForPANs"

From OWASP
Jump to: navigation, search
(New page: 1. Abstract * Permanant Account Number (PAN) encryption in an ecommerce merchant databases presents unique application issues. * Block encryption primitives using Ciphe...)
 
 
(7 intermediate revisions by the same user not shown)
Line 1: Line 1:
 +
Link To Document -
 +
[https://www.owasp.org/index.php/Image:PanEncryption.pdf Problems With Using CBC Mode For PAN Encryption]
  
1. Abstract
+
'''Author Ashok Misra'''
  
    * Permanant Account Number (PAN) encryption in an ecommerce merchant
+
''
      databases presents unique application issues.
+
Abstract''
  
    * Block encryption primitives using Cipher Block Chaining (CBC) mode
+
Permanant Account Number (PAN) encryption in an ecommerce merchant
      preclude the possibility of supporting an efficient lookup
+
databases presents unique application issues.
      functionality.
 
  
    * Since CBC encryption mode is not idempotent [8][1] one way hashes for
+
Block encryption primitives using Cipher Block Chaining (CBC) mode
      PANs are needed in order to support lookup.
+
preclude the possibility of supporting an efficient lookup
 +
functionality.
  
    * The payment community does not view a one way hash of a PAN as a
+
Since CBC encryption mode is not idempotent, one way hashes for
      security violation. Ironicaly, its use is recommended by PCI DSS best
+
PANs are needed in order to support lookup.
      practices.
 
  
    * On the other hand, security experts categorically proscribe the use of
+
The payment community does not view a one way hash of a PAN as a
      an idempotent block cipher implementation such as Electronic Code Book
+
security violation. Ironicaly, its use is recommended by PCI DSS best
      (ECB).
+
practices.
  
    * Storage of SHA1 hashes for payment information follows best practise,
+
On the other hand, security experts categorically proscribe the use of
      PCI guidelines and buzzword compliance.
+
an idempotent block cipher implementation such as Electronic Code Book
 +
(ECB).
  
    * This paper presents a minority opinion and argues that security is
+
Storage of SHA1 hashes for payment information follows best practise,
      weakened dramatically by employing one way cryptographic primitives
+
PCI guidelines and buzzword compliance.
      for PANs in order to support lookup.
+
 
 +
This paper presents a minority opinion and argues that security is
 +
weakened dramatically by employing one way cryptographic primitives
 +
for PANs in order to support lookup.

Latest revision as of 18:00, 14 July 2008

Link To Document - Problems With Using CBC Mode For PAN Encryption

Author Ashok Misra

Abstract

Permanant Account Number (PAN) encryption in an ecommerce merchant databases presents unique application issues.

Block encryption primitives using Cipher Block Chaining (CBC) mode preclude the possibility of supporting an efficient lookup functionality.

Since CBC encryption mode is not idempotent, one way hashes for PANs are needed in order to support lookup.

The payment community does not view a one way hash of a PAN as a security violation. Ironicaly, its use is recommended by PCI DSS best practices.

On the other hand, security experts categorically proscribe the use of an idempotent block cipher implementation such as Electronic Code Book (ECB).

Storage of SHA1 hashes for payment information follows best practise, PCI guidelines and buzzword compliance.

This paper presents a minority opinion and argues that security is weakened dramatically by employing one way cryptographic primitives for PANs in order to support lookup.

Retrieved from "https://wiki.owasp.org/index.php?title=ProblemsCBCModeForPANs&oldid=34086"