Friday, 17 January 2014

PCI DSS and strong encryption

The PCI Security Standards council have updated (January 2014) their glossary to version 3  https://www.pcisecuritystandards.org/documents/PCI_DSS_Glossary_Final_v3.pdf this includes an update to their definition of strong cryptography, increasing the key lengths on some encryption protocols. They are now saying examples of industry-tested and accepted standards and algorithms for encryption include AES (128 bits and higher), TDES (minimum triple-length keys), RSA (2048 bits and higher), ECC (160 bits and higher), and ElGamal (2048 bits and higher).

Changes include

  • Triple DES key length being increased from minimum double to triple length
  • RSA key lengths being increased from 1024 bits double to 2048 bits
  • ElGamal key lengths being increased from 1024 bits double to 2048 bits

The change to RSA key lengths bring the acceptable minimum key length to that recommended by the Certification Authority/Browser (CA/B) Forum and the National Institute of Standards and Technology who have determined that any key length below 2048-bit is no longer strong enough for SSL certificates.

This will effect merchants and service providers, they will need to examine their cryptographic systems in particular SSL certs on https and increase key lengths or purchase new certs to meet requirements

No comments:

Post a Comment