Re: 3des key lengths and key management - Mailing list pgsql-general
From | Steve Atkins |
---|---|
Subject | Re: 3des key lengths and key management |
Date | |
Msg-id | B62EDCE7-698D-4886-A8F0-42A17179CF40@blighty.com Whole thread Raw |
In response to | 3des key lengths and key management (bulk <bulk@bohlman.org>) |
Responses |
Re: 3des key lengths and key management
Re: 3des key lengths and key management |
List | pgsql-general |
On Jul 23, 2009, at 10:11 AM, bulk wrote: > I am working for a small company that is going through a PCI DSS > audit. securitymetrics.com? (They seem to be the low bidder, with everything that implies. They asked me to open up my firewall to them, pointing at a fake server, just so they'd have something to audit, after failing our audit "because we only allowed access to the application from inside our firewall.".) > The auditor wants to know how long the key lengths are for the > fields that we have encrypted with pgcrypto 3des. I am by no means > an expert in cryptology, so I am struggling with what to tell > him? I've done a day or so of googling and the best I can tell is > the 3des uses 3x56bit keys and encrypts the date 3 times with each > of the keys. If he really said that 3des can use 2048 bit keys, tell him he's an idiot. > > He did not seem to like that answer. He seems to believe that 3des > can use 2048 bit keys and that is the minimal acceptable standard of > PCI DSS? What I know is that we simply added the contrib pgcrypto > stuff into the database and started using 3des and it seemed to work. > > So my questions are: > > 1) What are the default 3des key lengths when you load postgresql > enterprise db on a redhat ES x86_64 box? Dunno. 3des is usually a 112 bit key, though, IIRC. 168 at most. It's rather an old cipher by this point, but still secure enough for most things. > 2) If possible how can you change the keys? and replace them with > keys with lengths to 2048 bit or above? > 3) If 2 is not possible then what other encryption type can we use > that will meet his 2048 bit key length requirement? Long key lengths, thousands of bits, are something you tend to talk about when you're looking at an asymmetric cipher. RSA, DSA stuff like that. Symmetric ciphers (aka secret-key), like 3des, tend to use much shorter key lengths. A symmetric cipher uses the same key to encrypt and decrypt a message. An asymmetric cipher (aka public-key) uses one key to encrypt the message and needs a different key to decrypt it. > 4) Is is possible to compile C or Java code that will allow me to be > the only one whom knows the pass-key but allow other users to > encrypt/decrypt data? > Yes, that's asymmetric cryptography, using something like DSA. For a web application capturing credit cards, say, doing that you might use something like pgp to handle all the encryption and decryption. You'd use PGP in your webapp using a public key to encode the credit card numbers you were given before storing them in the database. Any time you need to access that you'd pull it out of the database, and use PGP with the associated private key to recover the credit card number, probably on a separate secure system. That's reengineering your entire system architecture and business process, though, rather than just dropping in a new encryption algorithm. As I understand the PCI DSS requirements (which is only a little) you don't need to use asymmetric crypto to comply with them, and that as long as you have decent key management and access control, 3des would be fine. https://www.pcisecuritystandards.org/ has a bunch of the docs if you're interested. Cheers, Steve
pgsql-general by date: