Data exchange between entities is the heart of any meaningful service between organizations. This data exchanged between entities may be sensitive mandating ways of securing it during and beyond transit. The method of disguising data in a way as to hide its substance is called encryption. In course of our service, we have a need to exchange large volumes of data with our providers, we exchange this data in safe, secure manner as governed by PCI DSS and ACS requirements.
PCI ACS Requirements v2.0 mandates that cardholder data at rest or in transit must always be encrypted, in certain cases using secure cryptographic devices. CA complies and forces the principle of split knowledge by enforcing dual control on all cardholder data.
All such data is always transmitted over a secure channel, either by means of sFTP (secure file transfer protocol), VPN (Virtual private network) or SSL (secure socket layer) channel. Data itself is encrypted using strong encryption.
Basics of encryption
There are two forms of encryption; symmetric encryption and asymmetric encryption.
In this scenario, the same key is used for encryption and decryption of the message. The message is encrypted with a key, usually a passphrase, that is shared out of band with the person who would use it to decrypt the message. This method of encryption has a risk of getting compromised if the file falls into wrong hands. There are a number of software solutions available that would try combinations of characters to guess and crack the key, method known as brute force attack, thereby introducing a big risk in transferring files using such method of encryption across entities.
In case such method must be used, it is recommended that the passphrase should be atleast 25 characters long and must include special characters; This file should be deleted from the source and destination as soon as possible and must be transmitted across safe channels.
Most commonly used software for such method of encryption is Winzip, 7zip, WinRAR, and PGPencrypt. PGPencrypt creates a binary file encrypted using a passphrase that can only be decrypted if the correct passphrase is provided. None of these methods prevent against brute force attacks.
Asymmetric encryption uses a pair of keys instead of a single key, it uses the public key for encryption and a private key for decryption. The main advantage of this encryption is that anyone can share data with you using your public key, but no one except you can decrypt data unless they have the private key.
It is statistically infeasible to deduce the private key from the public key, such risks can further be reduced by increasing the key size used for exchange. The cornerstone of this type of encryption is the private key, as such; this private key should not leave the physical location on where it was generated. In order to reduce risks further, it is recommended to use a hardware security module to hold this private key for organizations where this key is very critical.
How PGP works
PGP is a form of Asymmetric encryption system. In the case of PGP, when a user encrypts plaintext with PGP, PGP first compresses the plaintext. Data compression provides three main advantages
- Reduce filesize of the file being transmitted
- Reduce patterns in the text to make brute force difficult
- Strengthen cryptographic security.
PGP then creates a session key, which is a one-time-only secret key. This key is a random number generated from the random movements of your mouse and the keystrokes you type. This session key works with a very secure, fast conventional encryption algorithm to encrypt the plaintext; the result is ciphertext. Once the data is encrypted, the session key is then encrypted with the recipient's public key. This public key-encrypted session key is transmitted along with the ciphertext to the recipient.
Decryption works in the reverse. The recipient's copy of PGP uses his or her private key to recover the temporary session key, which PGP then uses to decrypt the conventionally-encrypted ciphertext.
Process of PGP encryption
PGP encryption has three distinct phases
- Key Exchange: In this phase, the recipient shares his/her public key with the transmitter.
- Key trust: The recipient imports the key in his/her key store. Once the import is complete, most software’s will indicate if the key is usable and/or there’s a problem with the key exchange. After import, the recipient also establishes a trust, whereby it indicates to the PGP software that this key can be trusted to send data.
- Test transfer: A small file is encrypted and signed using the public key of the recipient. This ensures that the data was encrypted with the right key and the recipient was able to decrypt the data.
Once the exchange process is complete, these keys can be used to exchange data.
PGP Key guidelines
In order to reduce the risk of decipherment by an unauthorized party, the key size used must be very high. At this time, it is recommended that we use a minimum of 2048 bit key and preferably a 3072 bit key. Some software’s have a limitation of max keysize that they can use, and usually varies based on the version of the software. Most software’s are able to use atleast 2048 bit keys.
There are a number of options available in the market that provide PGP functionality, however, there are two most commonly used. These two are
GnuPG is a complete and free implementation of the OpenPGP standard. GnuPG, also known as GPG, is a command line tool with features for easy integration with other applications. GnuPG is Free Software. It can be freely used, modified and distributed under the terms of the GNU General Public License.
This software can be downloaded from their website at https://www.gnupg.org/
PGP Command Line from Symantec
This is commercially available PGP software from Symantec. Although there are five options for encryption using PGP from Symantec, the bare minimum needed is this command line option. This is full featured PGP encryption software that allows us to encrypt and decrypt files using PGP.
More information on PGP command line from Symantec is available on their website at http://www.symantec.com/products-solutions/families/?fid=encryption This particular version is at http://www.symantec.com/command-line/?fid=encryption
Other options available in the market are
- Glück & Kanja