Foregenix Blog

Andrew McKenna

Your Encryption Checklist


,12/01/18 10:14



Encryption is one of the foundations of keeping data secure, if a hacker can't read the information they've stolen, it's useless. Storing unencrypted cardholder data in any part of your website is asking for trouble. Hackers know what to look for and where to find it, so you need to ensure you're encrypting data.  

Based on real and potential weaknesses identified in existing security protocols as well as industry guidance on algorithms, the following are some things to bear in mind when considering your business’ plans for encryption in 2018.

✓ SSL v3 and TLS v1.0 are deprecated and should be disabled on all public interfaces. I suggest using https://www.ssllabs.com to test your interfaces.

✓ The chances are that TLS v1.1 and v1.2 are not impervious to future attacks so being prepared for TLS v1.3 is a good idea. While this isn't generally available on browsers yet, you should certainly start testing this now as part of your standard development lifecycle.

✓ TDES double-length, TDES 128-bit (or 112-bit not including parity bits), is not considered strong encryption and is only acceptable for use using the Derived Unique Key Per Transaction (DUKPT) scheme.

✓ The caveat to the above is that NIST is deprecating TDES in general (https://csrc.nist.gov/News/2017/Update-to-Current-Use-and-Deprecation-of-TDEA) and urges all users of TDES to migrate to AES as soon as possible. Therefore, if you are currently developing a solution that implements encryption, default to AES; and if you are using any TDES keys for data encryption or key encryption, it's worth reviewing your technical options and possible timelines for migration to stronger keys.

✓ Lastly, a lot of encryption is implemented in order to satisfy compliance requirements without appropriate consideration of security. Transparent encryption, where sensitive data is known to be encrypted but is never visibly encrypted (or unreadable), probably doesn't provide the level of security you would like to have. For your security and the security and privacy of your customers, it’s worth identifying reviewing protections for sensitive data.

Encryption is difficult for the experts to get right; this is why we've had KRACK, Poodle, HeartBleed, Beast and so on. While encryption, properly implemented, can provide excellent security, the technical advances in attack sophistication also must push us to be flexible in implementation and ready for change.


View Compliance Services



Tags: Encryption


David Kirkpatrick
Penetration Testing: The Quest For Fully UnDetectable Malware

Malware continues to be one of the main attack vectors used by criminals to compromise user and ...

Read More
Kirsty Trainer
"Key" to Secure Data - P2PE - Derived Unique Key Per Transaction (DUKPT)

Written by Andrew McKenna, PCI QSA, PCIP at Foregenix The encryption key infrastructure usually ...

Read More

Cyber Security Insights

Jake Dennys
16/07/18 11:38

Stronger and more frequent Brute Force Attacks are now the norm

Brute force attacks have plagued the internet for years. It’s a fairly simple concept; attempt every combination of words/numbers until the right one ...

Read More

Jake Dennys
11/07/18 10:31

Foregenix Place #4 In The Growth 100!

It’s been an exciting year for us, awarded consultancy practice of the year and best tech security; then named in the Sunday Times Export Track 100 ...

Read More

Jake Dennys
09/07/18 09:47

Digital Forensics in the Asia-Pacific region

As a global cybersecurity company, we are constantly striving to provide a better service for our clients. We are happy to report that our Digital ...

Read More

Jake Dennys
05/07/18 09:57

Foregenix take Consultancy Practice of the year at the Cyber Security Awards!

  We have been lucky enough to be awarded Consultancy Practice of the year! We've had a good year so far for awards, being recognised for the work we ...

Read More

Dan Ball
19/06/18 13:48

Getting to Grips With the Australian Notifiable Data Breaches Scheme.

In light of the Notifiable Data Breaches (NDB) scheme which came into effect in Australia on 22nd February 2018, Foregenix has launched three service ...

Read More