I think much of the problem is with credit card numbers themselves. There are only ~10**16 possible credit card numbers -- many fewer if you allow for the fact that only certain combinations are valid. A credit card number is easier to brute-force guess than its encryption key, format-preserving or not.
Charles -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Tony Harminc Sent: Tuesday, May 19, 2015 9:08 AM To: [email protected] Subject: Re: PCI DSS compliance for z/OS On 17 May 2015 at 14:39, Phil Smith <[email protected]> wrote: > Format-preserving data protection methods achieve PCI DSS compliance > while enabling persistent, data-centric security. “Format-preserving” > means that the encrypted/tokenized values look and feel like plaintext: same > length, same character set. I've heard about this format-preserving encryption for a while, but haven't had the justification for spending time to really understand what goes on. But it seems to me on the face of it that any such encryption must be substantially weaker than what we usually think of as strong encryption. Surely for (e.g.) a 16-digit credit card number there are only 10**16 and probably effectively *many* fewer (given a check digit and the likelihood that the first and last four digits are far less secure than the middle eight) encrypted possibilities, compared to almost 2**64 or about 10**19 possibilities for an arbitrary 8-byte block of data. And then there's the difficulty of using CBC mode, or indeed anything other then plain old ECB, which leaves a database full of known and indeed close to chosen plaintext data to work with. Not meaning to hijack the thread (and I think I am staying relevant), but maybe you could explain what goes on in a few sentences. Doubtless good minds have spent a lot of time on this; if there's a short and to the point introduction somewhere I'd be happy to look at it. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
