This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
ProblemsCBCModeForPANs
From OWASP
Revision as of 17:27, 14 July 2008 by Amisra (talk | contribs) (New page: 1. Abstract * Permanant Account Number (PAN) encryption in an ecommerce merchant databases presents unique application issues. * Block encryption primitives using Ciphe...)
1. Abstract
* Permanant Account Number (PAN) encryption in an ecommerce merchant
databases presents unique application issues.
* Block encryption primitives using Cipher Block Chaining (CBC) mode
preclude the possibility of supporting an efficient lookup
functionality.
* Since CBC encryption mode is not idempotent [8][1] one way hashes for
PANs are needed in order to support lookup.
* The payment community does not view a one way hash of a PAN as a
security violation. Ironicaly, its use is recommended by PCI DSS best
practices.
* On the other hand, security experts categorically proscribe the use of
an idempotent block cipher implementation such as Electronic Code Book
(ECB).
* Storage of SHA1 hashes for payment information follows best practise,
PCI guidelines and buzzword compliance.
* This paper presents a minority opinion and argues that security is
weakened dramatically by employing one way cryptographic primitives
for PANs in order to support lookup.
