III. Keyed Cryptographic Hashing Algorithms :
To augment the security of hashed PANs, organizations can employ keyed cryptographic hashing algorithms. These algorithms incorporate a randomly generated secret key into the hashing process, significantly enhancing data protection against brute force attacks and ensuring secret authentication integrity.
HMAC (Hash-based Message Authentication Code):
HMAC is a widely used keyed cryptographic hashing algorithm
that combines cryptographic hash functions with a secret key. It provides a
robust mechanism to verify the integrity and authenticity of data. HMAC employs
a specific hash function, such as SHA-256, along with a secret key, to generate
a unique hash value for each PAN.
The process of computing an HMAC involves the following
a) Message Padding: The PAN is padded to ensure a consistent
length, as required by the hash function.
b) Key Padding: The secret key is also padded to match the
block size of the underlying hash function.
c) Inner Hash: The padded secret key is XORed with a
predefined inner padding value, and the result is concatenated with the padded
PAN. The concatenated data is then hashed using the chosen hash function.
d) Outer Hash: The hashed result from the inner hash step is
concatenated with the padded secret key XORed with a predefined outer padding
value. The combined data is hashed again using the chosen hash function.
The final output of the HMAC process is the unique hash
value that represents the PAN's integrity and authenticity. Verifying the
integrity of a PAN involves re-computing the HMAC using the stored secret key
and comparing the generated hash value with the stored hash value.
CMAC (Cipher-based Message Authentication Code):
CMAC is another keyed cryptographic hashing algorithm that provides enhanced security by preventing known-plaintext attacks. It is based on a block cipher, such as AES (Advanced Encryption Standard), and employs a secret key to generate a message authentication code.
The process of computing a CMAC involves the following
a) Initialization: The CMAC algorithm initializes the block
cipher with the secret key, setting up the initial state.
b) Message Processing: The PAN is processed block by block
using the block cipher's encryption function, incorporating the secret key and
the previous block's result.
c) Padding: If the PAN length is not a multiple of the block
size, padding is applied to ensure a complete block.
d) Finalization: The final block is processed using the
block cipher, producing the CMAC value.
Similar to HMAC, verifying the integrity of a PAN using CMAC involves re-computing the CMAC value and comparing it to the stored value.
GMAC (Galois Message Authentication Code):
GMAC is a keyed cryptographic hashing algorithm primarily used in authenticated encryption schemes, providing both confidentiality and integrity assurances. It employs a secret key, a nonce (a unique number used once), and a message to generate a MAC (Message Authentication Code) that guarantees data integrity and authenticity.
The process of computing a GMAC involves the following
a) Initialization: The GMAC algorithm initializes the Galois
field, incorporating the secret key.
b) Message Processing: The PAN, along with the nonce, is
processed block by block using the Galois field multiplication and addition
c) Finalization: The final GMAC value is generated by
processing the last block and incorporating the final Galois field
GMAC enables the recipient of the PAN to validate the
integrity and authenticity of the data by re-computing the GMAC value using the
received PAN, the same secret key, and the nonce.
In an era where data breaches and unauthorized access pose
significant threats to organizations and their customers, implementing robust
data security measures is crucial. Cleartext PAN removal serves as a critical
defense-in-depth control, ensuring that stored PANs remain protected even in
the event of an unauthorized breach. By encrypting or hashing PANs,
organizations mitigate the risk of exposing sensitive data to unauthorized
Furthermore, secondary independent control systems,
including cryptographic key management and governance frameworks, bolster the
overall security posture. These systems ensure that access to cryptographic and
decryption keys is tightly controlled, reducing the likelihood of unauthorized
access and misuse.
Keyed cryptographic hashing algorithms, such as HMAC, CMAC,
and GMAC, provide an additional layer of security by incorporating randomly
generated secret keys. These algorithms resist brute force attacks and enhance
the integrity and authenticity of hashed PANs.
By adopting these practices, organizations demonstrate a commitment
to data security, safeguarding sensitive information and maintaining the trust
of their customers and stakeholders. It is imperative to continually reassess
and update data security measures to stay ahead of evolving threats and ensure
the long-term protection of valuable data assets.