Posts about:
NIST recently published a document "Transitioning the Use of Cryptographic Algorithms and Key Lengths" which formalizes the sunset of Triple DES by the end of 2023. Afterwards it will only be recommended for legacy use which means decryption only.
Last month NIST announced they were seeking feedback on a proposed updated guidance for FPE. More formally this is SP 800-38G rev 1 "Recommendation for Block Cipher...
Now is the time to stop using 64-bit block length ciphers such as 3DES (TDEA) and Blowfish in general purpose applications of cryptography. In 2016, an attack was...
Barely a year after NIST approved Format-Preserving Encryption (FPE) based on AES they've issued a news release that one of the approved modes has been broken. Since FPE is actively deployed within the payment industry this will have implications for payment security and users of this technology. But how bad is the problem? And if you happen to be affected, what can you do?
The Internet and mainstream media has been ablaze with articles and opinion pieces about the dispute between the FBI and Apple over an iPhone used by one of the San Bernardino terrorists. The issue has polarized public opinion and drawn attention to longstanding tensions over access by law enforcement. The issue is complex and the implications are far reaching. The resulting debate is a good thing because it makes us think.
If you’ve been struggling with keeping up with various SSL vulnerabilities and planning an orderly cutover to TLS then the recent announcement by the PCI Council has extending the sunset date for the transition from SSL to TLS 1.1 and 1.2 should come as welcome relief.
Previously we looked at Format Preserving Encryption (FPE) its characteristics and suitability for application in solutions intended for PCI DSS. To recap, FPE is an...
The PCI Security Standards Council today published the expected update to PCI releasing these documents including some specific migration guidance:
The PCI council has released an announcement that they are preparing an updated version of the PCI DSS (v3.1) and PA-DSS (v3.1), where they will be detailing several clarifications and changes to requirements. One of the major changes that will be included in v3.1 is that all versions of SSL are no longer considered acceptable as “strong cryptography”. The bulletin from the council states that adherence to PCI DSS v3.1 and PA-DSS v3.1 standard will be immediate with future-dated requirements to allow organizations time to implement changes.
Format Preserving Encryption or FPE is recent technology that is beginning to show up in payment solutions with the promise of simplifying PCI DSS compliance. If you...