Your Encryption Checklist
Encryption is one of the foundations of keeping data secure, if a hacker can't read the information they've stolen, it's useless. Storing unencrypted cardholder data in any part of your website is asking for trouble. Hackers know what to look for and where to find it, so you need to ensure you're encrypting data.
Based on real and potential weaknesses identified in existing security protocols as well as industry guidance on algorithms, the following are some things to bear in mind when considering your business’ plans for encryption in 2018.
✓ SSL v3 and TLS v1.0 are deprecated and should be disabled on all public interfaces. I suggest using https://www.ssllabs.com to test your interfaces.
✓ The chances are that TLS v1.1 and v1.2 are not impervious to future attacks so being prepared for TLS v1.3 is a good idea. While this isn't generally available on browsers yet, you should certainly start testing this now as part of your standard development lifecycle.
✓ TDES double-length, TDES 128-bit (or 112-bit not including parity bits), is not considered strong encryption and is only acceptable for use using the Derived Unique Key Per Transaction (DUKPT) scheme.
✓ The caveat to the above is that NIST is deprecating TDES in general (https://csrc.nist.gov/News/2017/Update-to-Current-Use-and-Deprecation-of-TDEA) and urges all users of TDES to migrate to AES as soon as possible. Therefore, if you are currently developing a solution that implements encryption, default to AES; and if you are using any TDES keys for data encryption or key encryption, it's worth reviewing your technical options and possible timelines for migration to stronger keys.
✓ Lastly, a lot of encryption is implemented in order to satisfy compliance requirements without appropriate consideration of security. Transparent encryption, where sensitive data is known to be encrypted but is never visibly encrypted (or unreadable), probably doesn't provide the level of security you would like to have. For your security and the security and privacy of your customers, it’s worth identifying reviewing protections for sensitive data.
Encryption is difficult for the experts to get right; this is why we've had KRACK, Poodle, HeartBleed, Beast and so on. While encryption, properly implemented, can provide excellent security, the technical advances in attack sophistication also must push us to be flexible in implementation and ready for change.