III. Keyed Cryptographic Hashing Algorithms :
To augment the security of hashed PANs, organizations can employ keyed cryptographic hashing algorithms. These algorithms incorporate a randomly generated secret key into the hashing process, significantly enhancing data protection against brute force attacks and ensuring secret authentication integrity.
HMAC (Hash-based Message Authentication Code):
HMAC is a widely used keyed cryptographic hashing algorithm that combines cryptographic hash functions with a secret key. It provides a robust mechanism to verify the integrity and authenticity of data. HMAC employs a specific hash function, such as SHA-256, along with a secret key, to generate a unique hash value for each PAN.
The process of computing an HMAC involves the following steps:
a) Message Padding: The PAN is padded to ensure a consistent length, as required by the hash function.
b) Key Padding: The secret key is also padded to match the block size of the underlying hash function.
c) Inner Hash: The padded secret key is XORed with a predefined inner padding value, and the result is concatenated with the padded PAN. The concatenated data is then hashed using the chosen hash function.
d) Outer Hash: The hashed result from the inner hash step is concatenated with the padded secret key XORed with a predefined outer padding value. The combined data is hashed again using the chosen hash function.
The final output of the HMAC process is the unique hash value that represents the PAN's integrity and authenticity. Verifying the integrity of a PAN involves re-computing the HMAC using the stored secret key and comparing the generated hash value with the stored hash value.
CMAC (Cipher-based Message Authentication Code):
CMAC is another keyed cryptographic hashing algorithm that provides enhanced security by preventing known-plaintext attacks. It is based on a block cipher, such as AES (Advanced Encryption Standard), and employs a secret key to generate a message authentication code.
The process of computing a CMAC involves the following steps:
a) Initialization: The CMAC algorithm initializes the block cipher with the secret key, setting up the initial state.
b) Message Processing: The PAN is processed block by block using the block cipher's encryption function, incorporating the secret key and the previous block's result.
c) Padding: If the PAN length is not a multiple of the block size, padding is applied to ensure a complete block.
d) Finalization: The final block is processed using the block cipher, producing the CMAC value.
Similar to HMAC, verifying the integrity of a PAN using CMAC involves re-computing the CMAC value and comparing it to the stored value.
GMAC (Galois Message Authentication Code):
GMAC is a keyed cryptographic hashing algorithm primarily used in authenticated encryption schemes, providing both confidentiality and integrity assurances. It employs a secret key, a nonce (a unique number used once), and a message to generate a MAC (Message Authentication Code) that guarantees data integrity and authenticity.
The process of computing a GMAC involves the following steps:
a) Initialization: The GMAC algorithm initializes the Galois field, incorporating the secret key.
b) Message Processing: The PAN, along with the nonce, is processed block by block using the Galois field multiplication and addition operations.
c) Finalization: The final GMAC value is generated by processing the last block and incorporating the final Galois field calculations.
GMAC enables the recipient of the PAN to validate the integrity and authenticity of the data by re-computing the GMAC value using the received PAN, the same secret key, and the nonce.
In an era where data breaches and unauthorized access pose significant threats to organizations and their customers, implementing robust data security measures is crucial. Cleartext PAN removal serves as a critical defense-in-depth control, ensuring that stored PANs remain protected even in the event of an unauthorized breach. By encrypting or hashing PANs, organizations mitigate the risk of exposing sensitive data to unauthorized individuals.
Furthermore, secondary independent control systems, including cryptographic key management and governance frameworks, bolster the overall security posture. These systems ensure that access to cryptographic and decryption keys is tightly controlled, reducing the likelihood of unauthorized access and misuse.
Keyed cryptographic hashing algorithms, such as HMAC, CMAC, and GMAC, provide an additional layer of security by incorporating randomly generated secret keys. These algorithms resist brute force attacks and enhance the integrity and authenticity of hashed PANs.
By adopting these practices, organizations demonstrate a commitment to data security, safeguarding sensitive information and maintaining the trust of their customers and stakeholders. It is imperative to continually reassess and update data security measures to stay ahead of evolving threats and ensure the long-term protection of valuable data assets.