AES encryption and key storage
Posted: Tue Aug 31, 2010 12:02 pm
We are working on the use of the Xbase++ AES encryption for certain fields related to credit card data. I have been reading alot about keys and Salts and addition of random info to data to improve the quality of the encrypted data, especially when the first 8 characters of the 16 digit credit card numbers can be the same for alot of accounts.
PCI requirements are in play.
Questions:
1. What is the best way to handle keeping the key secret, given dual person access rules. Some people have compiled into their programs via a header file that is access controlled. Others have split the key and loaded it from different sources in realtime. Some have hidden the key within other data.
What are suggestions that others have found to be reliable and pass PCI audit requirements?
2. Has anyone use the cryptoapi library from di-mgt.com.au and have any wrappers for their. I thought I read something on the newsgroup regarding this tool and wrappers to the PKI verison of the library but cannot find the information now.
3. di-gmt.com.au has a paper on "Encrypting credit card numbers in a database" that talks about using an fresh "IV" each time credit card information is saved or updated. Is this something that others generally use and any suggestions on the best way to use it.
Thanks for any thoughts on this subject.
Cliff.
PCI requirements are in play.
Questions:
1. What is the best way to handle keeping the key secret, given dual person access rules. Some people have compiled into their programs via a header file that is access controlled. Others have split the key and loaded it from different sources in realtime. Some have hidden the key within other data.
What are suggestions that others have found to be reliable and pass PCI audit requirements?
2. Has anyone use the cryptoapi library from di-mgt.com.au and have any wrappers for their. I thought I read something on the newsgroup regarding this tool and wrappers to the PKI verison of the library but cannot find the information now.
3. di-gmt.com.au has a paper on "Encrypting credit card numbers in a database" that talks about using an fresh "IV" each time credit card information is saved or updated. Is this something that others generally use and any suggestions on the best way to use it.
Thanks for any thoughts on this subject.
Cliff.