1 Comment

  1. Jeff Man
    May 21, 2014 @ 3:44 pm

    Key Management is the absolute, fundamental, essential element in protecting all encrypted communications for the simple fact that it’s almost always easier to steal the keys than to break the algorithm. Effective Key Management is HARD!!! World governments and military powers struggle to do it effectively so I have never been terribly confident that the commercial sector could pull it off any better. There was a time a few short years ago where the PCI Council pointed to ISO/ANSI Standards for Encrypting PIN pads but pointed to NIST Special Publications standards for the PCI DSS standards (hint: they didn’t agree on what constituted a robust algorithm). This became problematic at the beginning of the P2PE standard – because many vendors were applying the same algorithms used to encrypt debit PINS to encrypting PANs – and often with a crypto-algorithm (2TDEA to be exact) that was acceptable for the former but not the latter. Of course, all of that is moot if you can steal the key in the first place…

Leave a Reply

Your email address will not be published. Required fields are marked *