News
How can I securely encrypt short data blocks like credit card numbers?
November 2008 by Ulf Mattsson, CTO, Protegrity Corporation
You can securely encrypt short data blocks with the CBC (Cipher Block Chaining) mode of a block encryption algorithm (AES, 3DES …) if using a rotating or random generated initialization vector (IV). The IV must be used if the input data is not longer than the block size for the cipher (8 bytes for DES and 3DES, 16 bytes for AES).
The IV must be stored for future use when the data is decrypted. The IV works like a second key, but does in most cases not need to be kept secret and can be stored in clear in the database. If the application requires having an IV per column, which can be necessary to allow for searching within that column, the value can be stored in a separate table. For a more secure deployment, but with limited searching capabilities if support for accelerated index-search on encrypted data is not used, an IV can be generated per row and stored with the data. In the case where multiple columns are encrypted, but the table has space limitations, the same IV can be reused for each encrypted value in the row, even if the encryption keys for each column are different, provided the encryption algorithm and key size are the same.
