Java Reference
In-Depth Information
6.4.2.2 Encryption for Data in Transit
he following is the implementation for encryption for data in transit:
◾
User logins and re-logins will always occur over an encrypted connection.
◾
Transport layer security shall be implemented for the e-commerce application, where all
activities of a user who is logged in will take place over an encrypted link. Communication
with the e-commerce application will take place over an HTTPS link.
he transport layer security implementation for Panthera's e-commerce application will be a
◾
2048-bit RSA with SHA-1 Certiicate.
Credit card information will be sent to Panthera's payment gateway over an HTTPS link,
◾
established by the server of the payment gateway.
6.4.2.3 Encryption Key Management
he following functionality will be implemented for Panthera's e-commerce application for
encryption key management:
◾
Panthera will establish two keys. One key is the data encrypting key (DEK), which will be
used for encrypting the credit card numbers in the database, and one is the key encrypting
key (KEK), which will be used to encrypt the data encrypting key.
he DEK will be a symmetric encryption key, which is an AES 256-bit key for encrypting
◾
the card number
he KEK will be a 2048-bit RSA keypair, where the public key will be used to encrypt the
◾
DEK.
he DEK and KEK shall be stored in separate locations.
◾
◾
Panthera plans to change the DEK and KEK on an annual basis
◾
Panthera will utilize initialization vectors (IVs) to add randomness to the data encryption
process. hese IVs shall be stored in the same database table as the card numbers for the
encryption process.
6.4.3 Logging
Logging
is a mechanism that captures events from systems where it has been conigured. System
logs capture details of the system event including the type of event, the system afected, user or
device accessing the system, time, and success/failure status of the event. System logs are con-
sidered as one of the most critical detective controls for a system. Only with the aid of logs can
an incident or a breach be traced. he administrators can open the logs and gain knowledge
of any anomalous incidents or events that occurred in the past and may be able to take correc-
tive action, based on the incident or event. Logging is considered critical by most security best
practices, and there are several tools today, known as
log management tools
, that monitor system
logs and raise alerts based on the nature of the log event. Logging for Web applications is also a
matter of paramount importance. Web applications, especially public-facing Web applications,
are subject to a great deal of traic, and while it is important to monitor the performance-
related aspects of the applications, it is also important to ensure that any event relating to
the security of the application is monitored and tracked in the application logs. Logging for
most Web applications is performed by default by the Web/application server, but this has to
Search WWH ::
Custom Search