tag:blogger.com,1999:blog-36966451.post580621732354894530..comments2015-09-25T04:37:25.031-05:00Comments on Steve's Stories: Cryptography (of PCI data) is HardUnknownnoreply@blogger.comBlogger2125tag:blogger.com,1999:blog-36966451.post-25832533388699869362010-08-27T15:13:35.827-05:002010-08-27T15:13:35.827-05:00Oh, dear, I did not mean to say that FPE is crummy...Oh, dear, I did not mean to say that FPE is crummy. What I mean is that not all the ways end-to-end encryption is being done are good. My apologies. I actually have read the FPE spec, find it interesting, and have lots of respect for the authors. I look forward to either ASC X9F1 or NIST CRC approving it.<br /><br />Thanks for pointing out the mistake in my entropy calculation. I did that awhile ago and just pull the number from memory. Shame on me - I should have done the math. :O)Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-36966451.post-1045641075289988392010-08-27T13:42:06.751-05:002010-08-27T13:42:06.751-05:00Sid,
It's definitely true that cryptography i...Sid,<br /><br />It's definitely true that cryptography is hard, but I think you've mischaracterized the strength of FPE here. As you said, the previous Storefront BackTalk post did ruffle feathers, but it did so because (as the author acknowledged), it contained some incorrect assertions about how encryption works. Walt had some good points, but equating cipher strength to the entropy available in the plaintext is just not correct. Ciphers are designed to handle these cases without losing strength or revealing key bits.<br /><br />What you describe as XORing a random value with the PAN before encrypting is essentially creating a mode with an IV value that randomizes the encryption process. The XOR process is essentially the same process used by Cipher Block Chaining (CBC) mode, and has the randomizing effect. (Note that it does NOT double the key strength of the cipher, or at least I'm not aware of any proof that shows that these XORed bits contribute in the same way as cipher key bits.)<br /><br />(As a side note, your computation of the entropy in a PAN is off. 16 decimal digits = 10^16, which is approximately 2^57, so there are about 57 bits of entropy in a PAN. The presence of a Luhn digit cuts this down by somewhat less than 3 bits.)<br /><br />Regardless, in situations where there is minimal plaintext entropy, it can be important to randomize the encryption process, so that identical ciphertexts do not reveal that the plaintexts are identical. The FPE mode under consideration (FFX) contains a tweak parameter that has exactly that effect. THe algorithm can be supplied with random bits that will randomize the encryption algorithm in exactly the same way as an IV.<br /><br />Calling FPE "crummy" ignores the work that has gone into this mode. The FFX design leverages research into provably secure cipher design that dates back to the mid-80s, and uses an internal structure that has been scrutinized by the crypto community since the 1970s. The BPS mode proposed by an independent set of French cryptographers comes to the same conclusions, and uses the same internal structure.<br /><br />While the standardization process has not proceeded as fast one might like, this mode is under active consideration at a number of bodies, including X9F1, the cryptographic tools subcommittee of X9F.Terence Spiesnoreply@blogger.com