Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <13330BE5-1716-4A67-A1B6-39E6C4C5B92A@digitalmunition.com>
Date: Wed, 18 May 2011 14:46:15 -0400
From: Kevin Finisterre <kf@...italmunition.com>
To: john-users@...ts.openwall.com
Subject: Re: Help with 14 - 16 digit CC's stored in MD5 hash

Dually noted. Unfortunately the practice of using MD5 to hash a CC seems to fall within the PCI wording: 

"PCI DSS Requirement 3.4 –

Render [credit card numbers], at minimum, unreadable anywhere it is stored (including data on portable digital media, backup media, in logs, and data received from or stored by wireless networks) by using any of the following approaches:

- Strong one-way hash functions (hashed indexes)
- Truncation
- Index tokens and pads (pads must be securely stored)
- Strong cryptography with associated key management processes and procedures"

In the bigger picture I suppose the request in this particular case is for the greater good... I do see the potential for the previously mentioned danger. The real danger perhaps lies in the fact that vendors have taken comfort in the practice all the while claiming to be following PCI compliance guidelines. I am making an effort to highlight how silly this practice is for someone that is making use of one such product. 

Thanks in advance. 
-KF

On May 18, 2011, at 2:14 PM, RB wrote:

> An interesting problem, but one fraught with danger for both requester
> and helper.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.