Nel documento DSS PCI PA, la frase "Crittografia strong" viene spesso ripetuta ma non ho trovato una definizione chiara per quello. C'è qualche documento o standard PCI per questo?
Come il documento ti ha detto:
Please refer to the PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms for definitions of “strong cryptography” and other PCI DSS terms.
Leggendo quel documento, vediamo che è (v3.1):
Cryptography based on industry-tested and accepted algorithms, along with strong key lengths (minimum 112-bits of effective key strength) and proper key-management practices. Cryptography is a method to protect data and includes both encryption (which is reversible) and hashing (which is not reversible, or “one way”). See Hashing
At the time of publication, examples of industry-tested and accepted standards and algorithms include AES (128 bits and higher), TDES/TDEA (triple-length keys), RSA (2048 bits and higher), ECC (224 bits and higher), and DSA/D-H (2048/224 bits and higher). See NIST Special Publication 800-57 Part 1 (http://csrc.nist.gov/publications/) for more guidance on cryptographic key strengths and algorithms.
Note: The above examples are appropriate for persistent storage of cardholder data. The minimum cryptography requirements for transaction-based operations, as defined in PCI PIN and PTS, are more flexible as there are additional controls in place to reduce the level of exposure. For example, double length TDES keys used in unique key per transaction implementations as defined in ISO 11568 for key derivation or transformation (e.g., DUKPT) are considered to provide an equivalent level of strong cryptography because a single unique key is generated for each transaction.
It is recommended that all new implementations use a minimum of 128-bits of effective key strength.
Leggi altre domande sui tag pci-dss