Obfuscation vs encryption

canadiocanadio Member Posts: 13 ■□□□□□□□□□
Reading a recent case study of a "respected" IT security company they proudly mentioned how they set up
an obfuscation system for storing client credit cards? I'm like WTF? should that not be encryption they should be using?

Comments

  • TheFORCETheFORCE Member Posts: 2,297 ■■■■■■■■□□
    They can do both, obfuscation is actually used very much when it comes to database. In that case you dont want to encrypt the data but obfuscated so they can be read by other systems or people without actually providing the real numbers.
  • canadiocanadio Member Posts: 13 ■□□□□□□□□□
    TheFORCE wrote: »
    They can do both, obfuscation is actually used very much when it comes to database. In that case you dont want to encrypt the data but obfuscated so they can be read by other systems or people without actually providing the real numbers.

    Thanks TF. I'm sure it's probably in widespread use.

    But, I bet you that in the context of an exam like Security+ , you were given the choice between obfuscation and encryption and you stated obfuscation as an answer, it would be "wrong"!
  • canadiocanadio Member Posts: 13 ■□□□□□□□□□
    Does anyone else notice this. There seems to be a huge chasm between the world of Security + , CISSP exams and the way
    IT security is really practiced?
  • paul78paul78 Member Posts: 3,016 ■■■■■■■■■■
    Huh? What kind of credit card data? Under PCI Requirement 3 - you cannot store the PAN unless it's done with a one-way hash of the entire PAN. The specific requirement is that the PAN must be unreadable and cannot be recovered. And if the data is SAD (sensitive authentication data) - well - you aren't suppose to store that at all.

    So they came up with a new-fangled secure way to store the expiration date and service code? icon_rolleyes.gif Sounds like marketing baloney to me.
  • jcundiffjcundiff Member Posts: 486 ■■■■□□□□□□
    @paul78 obfuscation actually take the 16 digit pans and scrambles them which can allow the data to then be used in test environments... once you obfuscate the data, it is technically (yeah right) unrestorable back to original ... live card data should always be encrypted. PINs and CVVs should never be stored... in reality, we should be encrypt at swipe and tokenize before sending to the processor
    "Hard Work Beats Talent When Talent Doesn't Work Hard" - Tim Notke
  • paul78paul78 Member Posts: 3,016 ■■■■■■■■■■
    jcundiff wrote: »
    @paul78 obfuscation actually take the 16 digit pans and scrambles them which can allow the data to then be used in test environments...
    Excellent point! But given that a PAN must be unrestorable - using an obfuscation technique must be crypto-tested. Also from a software engineering point of view - the term obfuscation has a very specific meaning - it implies an algo that is used to make data difficult to understand. ROT13 for example is an obfuscation technique but hardly qualifies as strong crypto. icon_lol.gif
  • jcundiffjcundiff Member Posts: 486 ■■■■□□□□□□
    agree :) obfuscation has its uses but it should never be used to replace encrypting PCI data
    "Hard Work Beats Talent When Talent Doesn't Work Hard" - Tim Notke
Sign In or Register to comment.