An Encryption Horror Story
August 23, 2010 Dan Burger
The auditors are knocking at the door. You knew this day would come. Preparations were in place. When the PCI audit team looked for cross-platform data security measures, your bases were covered. The point of sale (POS) software was taking care of everything for you. But then, just a few days ago, it was discovered that credit card information that was encrypted on Microsoft SQL Server could not be decrypted on the IBM Power Systems i.
“This year we’ve had five or six incidents where this has happened,” says Patrick Townsend, chairman of the board and chief technology officer of the security software company that bears his name Patrick Townsend Security Solutions. “It pretty much follows a common path.”
Walking this path can make the hair on the back of your neck stand up on end. It can make your blood run cold. Those auditors can make it seem like you’re in a bad horror flick called Night of the Living Dead–the Auditors’ Revenge.
On the path that Townsend describes, there’s a company with an IBM i platform along with Windows servers that are part of the credit card authorization network. Data is flowing through the credit card authorization network. Transaction logs are being captured by point of sales terminals and converted to flat files that are moved to the credit card authorization system. Eventually this data comes to the business computer, Power Systems hardware running the i operating system.
Data that is unencrypted during this stage is vulnerable. The PCI regulations have noted that and companies are expected to comply by applying encryption.
In this horror story, the vendor acquired application source code to add standard AES encryption to its Windows-based POS software. It tested fine in the Windows environment for both encryption and decryption.
However, the challenge comes when moving data cross-platform, Townsend warns. It could be a Windows-to-i move or to any other non-Windows platform. It could be from the DB2 for i database to Oracle databases or any other mix of platforms and systems software.
When encrypted information can’t be decrypted, you’ve got a problem.
So Townsend gets the call from a company struggling to get this encrypted data onto the IBM i platform and decrypt it.
PTSS examined the code by running it through a test environment used to NIST-certify the security company’s own code. NIST is the National Institute of Standards and Technology, an agency of the U.S. Department of Commerce.
“We found it wouldn’t run properly. Every test we ran showed errors,” Townsend told IT Jungle in a telephone interview last week. That led to a closer examination of the source code where PTSS found the problem.
“A couple of things jumped out,” Townsend says. “This code was written with non-standard block sizes for the encryption. The person who wrote it and the people who implemented it didn’t understand there could be variations in the standard. As long as they stayed within their sandbox on the Windows platform, they could encrypt and decrypt using the non-standard algorithm.”
In other words, it looked and performed like good code.
“This points out that when some component in the encryption strategy is not built to standards, you may not have what you think you have,” Townsend says. “In this case they thought they had cross-platform capability, but they didn’t. This becomes the sand in the gears that grind projects to a halt. And, it costs a lot of money because it takes extra time to solve problems. Compliance deadlines add pressure, because there is the threat of becoming out of compliance. It becomes a snarly mess sorting out the issues.”
Out of the box software that is incompatible with existing standards is not unusual, at least when it applies to encryption, Townsend says. And moving unencrypted data on an internal network is not unusual either. But things are changing in that regard.
“Auditors are now asking more specific questions,” Townsend says. “They are fairly well educated on this [protecting unencrypted data on internal networks] and would not miss looking for it during an audit. As recent as three years ago, auditors missed this kind of issue.”
Beware of the encryption curse. It will make the fleas of a thousand camels curse seem mild by comparison.