[WEB SECURITY] Hashing and entropy

Lavery, Oliver oliver at securitycompass.com
Fri Jun 20 19:12:56 EDT 2008

Yes, most definitely the best solution is to avoid the problem altogether. Storing PANs is clearly not an easy problem, but we know lot's of people out there are cobbling together solutions, and likely pass their PCI audits.

I first came across this issue several years ago doing a design review for a service that wanted to do regular monthly billing against a payment processor. Changes to the service were to require the credit card be re-entered and verified against the card on file for security purposes. Of course they wanted to store unsalted MD5 hashes of the credit card number for the verification step ... which we luckily pulled from the design. 

PCI is a good initiative, but I shudder to think how it gets enforced as it's so vague. None of the solutions suggested in the bit I quoted are much better than storing the PAN in the clear, except truncation, perhaps.

(I'm not sure how "index tokens and pads" is meant to be interpreted, but if it means one time pads, it actually might be a pretty good option)

-----Original Message-----
From: Martin O'Neal [mailto:martin.oneal at corsaire.com]
Sent: Fri 20/06/2008 17:33
To: Lavery, Oliver; Glenn.Everhart at chase.com; aksecurity at gmail.com; nhoyle at hoyletech.com
Cc: websecurity at webappsec.org
Subject: RE: [WEB SECURITY] Hashing and entropy

I've provided some crypto guidance for a couple of UK high street
retailers PCI projects, and the general rule is that the right solution
is based mostly on context, and what you actually want to do with the
PAN (or a derivative of it).  No one size fits all.  

As a first port of call though, only keep the data you absolutely must
keep, and only for as long as you need to.  Many people use the PAN as a
key for marketing or purchase history, which is just isn't suitable for.
If you can ruthelessly remove PCI data, then you reduce the problem
(often by several orders of magnitude).

For example, many merchant services will wrap the whole CC handling
process for you.  Which means that you should never have to store any
PCI related data at all; you hold it transiently whilst the transaction
is authorised, and then you store the transaction reference, and destroy
the PAN/CVV etc.


Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20080620/9b81c7c7/attachment.html>

More information about the websecurity mailing list