I am working for a small company that is going through a PCI DSS
audit. The auditor wants to know how long the key lengths are for
the fields that we have encrypted with pgcrypto 3des. I am by no
means an expert in cryptology, so I am struggling with what to tell
him? I've done a day or so of googling and the best I can tell is
the 3des uses 3x56bit keys and encrypts the date 3 times with each of
the keys.
He did not seem to like that answer. He seems to believe that 3des
can use 2048 bit keys and that is the minimal acceptable standard of
PCI DSS? What I know is that we simply added the contrib pgcrypto
stuff into the database and started using 3des and it seemed to work.
So my questions are:
1) What are the default 3des key lengths when you load postgresql
enterprise db on a redhat ES x86_64 box?
2) If possible how can you change the keys? and replace them with
keys with lengths to 2048 bit or above?
3) If 2 is not possible then what other encryption type can we use
that will meet his 2048 bit key length requirement?
4) Is is possible to compile C or Java code that will allow me to be
the only one whom knows the pass-key but allow other users to encrypt/
decrypt data?
Thanks in advance,
--bb