This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "ProblemsCBCModeForPANs"

From OWASP
Jump to: navigation, search
(New page: 1. Abstract * Permanant Account Number (PAN) encryption in an ecommerce merchant databases presents unique application issues. * Block encryption primitives using Ciphe...)
 
Line 1: Line 1:
 
 
1. Abstract
 
1. Abstract
  
    * Permanant Account Number (PAN) encryption in an ecommerce merchant
+
Permanant Account Number (PAN) encryption in an ecommerce merchant
      databases presents unique application issues.
+
databases presents unique application issues.
  
    * Block encryption primitives using Cipher Block Chaining (CBC) mode
+
Block encryption primitives using Cipher Block Chaining (CBC) mode
      preclude the possibility of supporting an efficient lookup
+
preclude the possibility of supporting an efficient lookup
      functionality.
+
functionality.
  
    * Since CBC encryption mode is not idempotent [8][1] one way hashes for
+
Since CBC encryption mode is not idempotent [8][1] one way hashes for
      PANs are needed in order to support lookup.
+
PANs are needed in order to support lookup.
  
    * The payment community does not view a one way hash of a PAN as a
+
The payment community does not view a one way hash of a PAN as a
      security violation. Ironicaly, its use is recommended by PCI DSS best
+
security violation. Ironicaly, its use is recommended by PCI DSS best
      practices.
+
practices.
  
    * On the other hand, security experts categorically proscribe the use of
+
On the other hand, security experts categorically proscribe the use of
      an idempotent block cipher implementation such as Electronic Code Book
+
an idempotent block cipher implementation such as Electronic Code Book
      (ECB).
+
(ECB).
  
    * Storage of SHA1 hashes for payment information follows best practise,
+
Storage of SHA1 hashes for payment information follows best practise,
      PCI guidelines and buzzword compliance.
+
PCI guidelines and buzzword compliance.
  
    * This paper presents a minority opinion and argues that security is
+
This paper presents a minority opinion and argues that security is
      weakened dramatically by employing one way cryptographic primitives
+
weakened dramatically by employing one way cryptographic primitives
      for PANs in order to support lookup.
+
for PANs in order to support lookup.

Revision as of 17:28, 14 July 2008

1. Abstract

Permanant Account Number (PAN) encryption in an ecommerce merchant databases presents unique application issues.

Block encryption primitives using Cipher Block Chaining (CBC) mode preclude the possibility of supporting an efficient lookup functionality.

Since CBC encryption mode is not idempotent [8][1] one way hashes for PANs are needed in order to support lookup.

The payment community does not view a one way hash of a PAN as a security violation. Ironicaly, its use is recommended by PCI DSS best practices.

On the other hand, security experts categorically proscribe the use of an idempotent block cipher implementation such as Electronic Code Book (ECB).

Storage of SHA1 hashes for payment information follows best practise, PCI guidelines and buzzword compliance.

This paper presents a minority opinion and argues that security is weakened dramatically by employing one way cryptographic primitives for PANs in order to support lookup.

Retrieved from "https://wiki.owasp.org/index.php?title=ProblemsCBCModeForPANs&oldid=34077"