"Target ... said the PINs are 'strongly encrypted'"
Take this with a huge grain of salt. White hat analysis of the hacked Adobe database shows that "strong encryption" is only a very small piece of the puzzle for securely storing sensitive data.
Article suggests that only a third party payment processor holds the key, yet also claims that the encryption algorithm is Triple DES. Either whatever's doing the encryption also has the key, or there's a random symmetric key for each entry that's encrypted using the payment processor's public key in some extra scheme that isn't explained in the article. That would explain why they're talking about a "decryption" key as a separate thing. (In the latter case, the thing doing the encryption technically also has the key; that's hard to avoid with a symmetric algorithm such as 3DES; but one would hope that the system doing the encryption would forget about that key ASAP :))
From what I understand, PCI mandates that at least the terminals all have their own (re-used) encryption keys; but that wouldn't fit with their story that the "key never existed within their systems"; unless that's them being a bunch of weasels due to a technicality (perhaps they themselves do not actually own the terminals?)
Is there a source with more technical details available?
That was exactly my thought: you can't say "triple-DES encryption" and "we don't have the key." Saying that they delete it afterwords gives little comfort, especially considering that their infrastructure has been compromised.
3 comments
[ 2.9 ms ] story [ 17.5 ms ] threadTake this with a huge grain of salt. White hat analysis of the hacked Adobe database shows that "strong encryption" is only a very small piece of the puzzle for securely storing sensitive data.
From what I understand, PCI mandates that at least the terminals all have their own (re-used) encryption keys; but that wouldn't fit with their story that the "key never existed within their systems"; unless that's them being a bunch of weasels due to a technicality (perhaps they themselves do not actually own the terminals?)
Is there a source with more technical details available?