26 August 2010
Cryptography (of PCI data) is Hard
However, the ogre of PCI DSS compliance has driven everybody to smear a little soothing encryption on their pain. The result is some crummy, non-X9F6 approved, encryption schemes. The lid got ripped off that last week in Storefront Backtalk by Evan Schuman. Everybody in retail and payment cards subscribes to and reads Storefront Backtalk. So it really ruffled some feathers:
As an aside, we solved the PAN encryption as primary key problem by generating a random salt every time we generated a working storage encryption key. We would encrypt them both w/ the KEK. Then we'd XOR the salt with the PAN before encrypting or after decrypting it. This effectively doubled the key strength. The working storage encryption key was rotated at least annually. The only hard part is that you can't take the system offline to rotate the keys, but we handled that by retrying w/ the old key for a record not found condition, assuming that the key rotation window was of short duration.
Meanwhile, the cryptographers have been developing format preserving encryption (FPE), led by Voltage. If you haven't seen this, here is link to a paper about Voltage's FFX: http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/ffx/ffx-spec.pdf This is off the proposed modes page: http://csrc.nist.gov/groups/ST/toolkit/BCM/modes_development.html
The PCI have been very nervous about this use of crypto, but since every Tom, Dick and Harriet in the point-of-sale business has been jumping on it, it is hard to stop. Heartland Payment Systems has been beating the drum for this every time their CEO, Bob Carr, gets a chance to talk for the last two years. X9F1, the cryptographer part of ASC X9F, has been glacially thinking about it, as has NIST CRSC, with no yea or nay yet.
Regardless of whether FPE is sound or not, encrypting the whole transaction without XORing it with unpredictable data is madness. We'll have to see how this plays out. After the RBS Worldpay breach a couple of years ago, where the crooks got malware on the payment system, sniffed the traffic to the hardware security module and built a dictionary attack against the PINs, it is clear that the bad guys have some decent cryptographers and cryptographic engineers in their midst.
at 7:39 AM