Criptografía, métodos de cifrado y hashing: cómo las empresas PCI almacenamos datos de forma segura

Expert post

Andrés de la Cruz, Web Developer at PaynoPain

 

In a business sector such as fintech, where a huge amount of personal data is stored and manipulated, security is a decisive factor and must not only be taken into account, but must be used consistently.

The most important data that a user trusts when making an online payment are those related to their debit or credit card. Information that companies like PaynoPain store in order to offer services such as returns, monthly charges, purchases with a single click, etc. This data can’t be stored in any way: this data must be encrypted. We enter fully into cryptography.

 

What is cryptography?

It’s the science that makes use of mathematical methods and tools with the main objective of encrypting, and therefore protecting, a message or file by means of an algorithm, using two or more keys, to obtain in some cases the confidentiality, in others authenticity or both simultaneously. It consists in the conversion of data into a code encoded to be illegible.

In other words, we transform a message into something intelligible that we can only read if we have the secret key. It can also be a pdf, an email, a multimedia file, etc.

Cryptography is not something modern and doesn’t have to be computerized. Already in the Roman times of Julius Caesar, different methods were used so that the documents that were transported by messengers couldn’t be understood by anyone.

Cifrado César

In the so-called César cipher the letters were coded by moving the corresponding letter a number of times in the alphabet. In the image we can see a displacement of 3 letters.

In this way, the word PAYNOPAIN would be encrypted as: SDBPRSDLP.

As the story progresses, the mathematical calculations for encryption have become incredibly complex and varied, while the power of computers has been increasing. This means that some encryption methods are no longer safe, because a computer can find the secret key in a short time. It also means that choosing how to encrypt the data is essential and that the excess of information in these cases can make you choose a bad encryption method. But before continuing, we should differentiate when to encrypt and when not.

 

When do you have to encrypt? Encrypt or hash?

Before the boom of online payments, the most important data that all web platforms should keep were users passwords. The passwords are secret and nobody except the users should know them. This means that it’s a data that should not be recovered.

Many companies use encryption methods for passwords that by their own use, as we have seen previously with César encryption, allow to recover the original content of the message.

Passwords are a bad example of using encryption. For the occasions in which the content shouldn’t be able to be recovered are the so-called hashing methods.

Hashing a message is also to make it intelligible, but with the peculiarity that the resulting message doesn’t contain the original.

Encrypted hashing

 

However, for credit and debit cards data must necessary to be used encryption and it’s something so critical that there are standards that regulate which and how data should be encrypted. We’re talking about the PCI DSS (Payment Card Industry Data Security Standard) standard that allows companies to operate with this information. At PaynoPain we have this certification and we renew it annually.

 

Encryption methods

Choosing an encryption method is always an important decision and the different methods must be analyzed before taking it. The PCI standard maintains a list of recommended methods that will be updated as new ones are developed.

Next, we review some of the best known ciphers and their technical specifications:

DES: 52 bit stream encryption standard used in 1976. The 56 bit string is very short, so it’s able to commit in less than 24 hours.

    • Key length: 52 bits.
    • Block size: No

TDES: Also known as 3DES or TripleDES, an improvement of DES that makes it more secure.

  • Key length: 192 bits.
  • Block size: No

AES: The algorithm most used today. Based on substitutions, permutations and linear transformations, executed in several times in blocks of data.

  • Key length: 128, 192 and 256 bits.
  • Block size: 128 bits.

Rindjael: It’s a block symmetric encryption algorithm, standard for use in AES.

  • Key length: Variable multiple of 4 bytes: 128, 192 and 256 bits.
  • Block size: Multiple variable of 4 bytes: 128, 192 and 256 bits.

Blowfish: It’s a symmetric block encoder included in a large number of sets of encoders and encryption products.

  • Key length: Variable: from 32 to 448 bits.
  • Block size: 64 bits.

In a sector as growing as fintech, being up to date on security is a must with users. From PaynoPain we recommend users to only buy at websites that offer guarantees and to look for the stamps that certify security certifications such as PCI.

Comments are closed.