The PCI Security Standards council have updated their glossary to version 3. The changes include an update to the council’s definition of strong cryptography, increasing the key lengths on some encryption protocols.
They’re now saying examples of industry-tested and accepted standards and algorithms for encryption include AES (128 bits and higher), TDES (minimum triple-length keys), RSA (2048 bits and higher), ECC (160 bits and higher) and ElGamal (2048 bits and higher).
Some of the other changes included are:
- Triple DES key length being increased from double to triple length
- RSA key lengths being increased from 1024 bits to 2048 bits
- ElGamal key lengths being increased from 1024 bits to 2048 bits
The change to RSA key lengths bring the acceptable minimum key length to what is recommended by the Certification Authority/Browser (CA/B) Forum and the National Institute of Standards and Technology who have determined that any key length below 2048-bit is no longer strong enough for SSL certificates.
I suggest that merchants and service providers should examine their cryptographic systems in particular their SSL certificates on https and increase key lengths; or purchase new certificates to meet the requirements.
Sign up to IT Governance’s PCI DSS newsletter for more PCI DSS news