On Jul 23, 2009, at 10:11 AM, bulk wrote:
I am working for a small company that is going through a PCI DSS
audit.
securitymetrics.com? (They seem to be the low bidder, with everything
that implies. They asked me to open up my firewall to them, pointing
at a fake server, just so they'd have something to audit, after
failing our audit "because we only allowed access to the application
from inside our firewall.".)
The auditor wants to know how long the key lengths are for the
fields that we have encrypted with pgcrypto 3des. I am by no means
an expert in cryptology, so I am struggling with what to tell
him? I've done a day or so of googling and the best I can tell is
the 3des uses 3x56bit keys and encrypts the date 3 times with each
of the keys.
If he really said that 3des can use 2048 bit keys, tell him he's an
idiot.
He did not seem to like that answer. He seems to believe that 3des
can use 2048 bit keys and that is the minimal acceptable standard of
PCI DSS? What I know is that we simply added the contrib pgcrypto
stuff into the database and started using 3des and it seemed to work.
So my questions are:
1) What are the default 3des key lengths when you load postgresql
enterprise db on a redhat ES x86_64 box?
Dunno. 3des is usually a 112 bit key, though, IIRC. 168 at most. It's
rather an old cipher by this point, but still secure enough for most
things.
2) If possible how can you change the keys? and replace them with
keys with lengths to 2048 bit or above?
3) If 2 is not possible then what other encryption type can we use
that will meet his 2048 bit key length requirement?
Long key lengths, thousands of bits, are something you tend to talk
about when you're looking at an asymmetric cipher. RSA, DSA stuff like
that.
Symmetric ciphers (aka secret-key), like 3des, tend to use much
shorter key lengths.
A symmetric cipher uses the same key to encrypt and decrypt a message.
An asymmetric cipher (aka public-key) uses one key to encrypt the
message and needs a different key to decrypt it.
4) Is is possible to compile C or Java code that will allow me to be
the only one whom knows the pass-key but allow other users to
encrypt/decrypt data?
Yes, that's asymmetric cryptography, using something like DSA.
For a web application capturing credit cards, say, doing that you
might use something like pgp to handle all the encryption and
decryption. You'd use PGP in your webapp using a public key to encode
the credit card numbers you were given before storing them in the
database. Any time you need to access that you'd pull it out of the
database, and use PGP with the associated private key to recover the
credit card number, probably on a separate secure system. That's
reengineering your entire system architecture and business process,
though, rather than just dropping in a new encryption algorithm.
As I understand the PCI DSS requirements (which is only a little) you
don't need to use asymmetric crypto to comply with them, and that as
long as you have decent key management and access control, 3des would
be fine. https://www.pcisecuritystandards.org/ has a bunch of the docs
if you're interested.
Cheers,
Steve
--
Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general