Is Triple DES a more secure encryption scheme than DUKPT?

BROWSE BY TAG Platform Security,   Enterprise Data Protection,   Enterprise Data Governance,   Disk Encryption and File Encryption,   VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Platform Security Should developers create libraries of common cryptographic algorithms? How to secure USB ports on Windows machines What is the best database patch management process? What is an encryption collision? What are new and commonly used public-key cryptography algorithms? Should management processes change based on a patch release schedule? Does an EULA make it truly illegal to decompile software? Should businesses delay Windows Vista adoption and just buy Windows 7? Why should we place data files on a separate partition than the OS? Should Windows Mobile updates come from Microsoft? Enterprise Data Governance Creating an enterprise data protection framework Analyst DLP study finds maturity, ranks top DLP vendors Voltage, RSA spar over tokenization, data protection Twitter gets condemned by CISOs at Forrester forum PCI DSS compliance requirements: Ensuring data integrity Trustwave acquires data loss prevention vendor Vericept Data has become too distributed to secure, Forrester says Cloud-based security services should start private Compliance in the cloud How to write technology outsourcing contracts Disk Encryption and File Encryption Heartland CIO is critical of First Data's credit card tokenization plan Heartland CIO on end-to-end encryption, credit card tokenization Should developers create libraries of common cryptographic algorithms? What is an encryption collision? Heartland CIO on PCI, E3 project Visa probes tokens, encryption for PCI card data protection Voltage, RSA spar over tokenization, data protection Truth, lies and fiction about encryption What are new and commonly used public-key cryptography algorithms? What are the export limitations for AES data encryption?

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary cut-and-paste attack  (SearchSecurity.com) data masking  (SearchSecurity.com) data splitting  (SearchSecurity.com) deperimeterization  (SearchSecurity.com) Google hacking  (SearchSecurity.com) masquerade  (SearchSecurity.com) snooping  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

DUKPT does not really compete with Triple DES. The DES stands for Data Encryption Standard, a block cipher that was selected as an official Federal Information Processing Standard (FIPS) for the United States in 1976. Triple DES, sometimes shortened further as TDES, increases the difficulty of cracking the encryption by applying three rounds of action: an encryption, a decryption and an encryption, each with independent keys. TDES has become popular for encrypting financial transactions because it is potentially far more secure than DES, which has been shown to yield its secrets somewhat quickly to relatively cheap hardware.

Both DES and TDES use a symmetric key. In other words, the same key enciphers and deciphers the protected data. To keep the key secret, a secure key-management system is required. One financial area of particular concern is the point-of-sale or POS terminal. Worldwide, these devices probably handle billions of transactions a day. If the keys to even a small portion of that traffic could be discovered, all manner of theft and fraud could be perpetrated.

One way to prevent such cybercrime is to use a different key for each transaction, which is the function of DUKPT or Derived Unique Key Per Transaction. Devices that use DUKPT are initialized with a master key -- from which the unique keys are derived, one per transaction. Even if an attacker discovers the key to a particular transaction, none of the other transactions from the same device can be decrypted with that key. A potential attack point in this scheme is the master key stored in the encrypting device. Tools that use DUKPT, however, are typically built so that tampering with the device wipes this master key out.

These derived keys are used to encrypt transaction data with a symmetric cipher such as TDES. Because the programming of TDES is well-understood and the algorithm requires minimal processing power, it is a popular choice for POS systems. But on many systems, it is not the only powerful symmetric encryption algorithm available.

AES (Advanced Encryption Standard) is a good alternative. When making choices about encryption standards, it is important to remember that the algorithms are not usually the weak point. As was made clear by Ross Anderson in his landmark paper "Why Cryptosystems Fail," published by the Association for Computing Machinery (ACM) in 1993, "most security failures are due to implementation and management errors."

More information: