One of the significant improvements that the PCI DSS standard incorporated in its version 4.0 was the use of PCI DSS functions. hash cryptographic with key (keyed cryptographic hash) as a replacement for the functions of hash traditional (non-keyed hash) which, until then, were used in the protection of the NAP. But why was this change made? what is the reason for employing functions of hash cryptographic with key and what benefits does it bring to the security of payment card data?

The PCI DSS standard allows four (4) different methods to protect the PAN during storage:

  1. Use of single-track functions (hash) based on robust cryptography of the complete PAN.
  2. Truncation.
  3. Indices of tokens (tokenization).
  4. Robust cryptography with associated key management procedures.

For point 1 (use of single-track functions – hash), as of PCI DSS version 4.0, these functions are required to use keys (keyed cryptographic hash). The differences between these two hash methods are described below.

What is a hash traditional (non-keyed hash)?

One hash function is a mathematical function that can receive as input an infinite set of data and results in a “summary” (message digest) or a finite set of characters that unambiguously identify their input, similar to a DNA sequence or fingerprint. A characteristic of this type of mathematical function is that it is impossible to derive or obtain the original input from its source. hash, which is why they are also referred to as “single-track functions” or one-way functions. Among the most well-known algorithms that implement these functions are the MD family (Message-Digest algorithm) with MD4 y MD5 and SHA (Secure Hash Algorithms) with SHA-0, SHA-1, SHA-2 y SHA-3.

These types of functions are particularly useful in identifying changes or alterations in text strings or files (integrity validation) and comparing values:

As can be seen in the image above, although the meaning of the word has not changed, its characters have, which represents a change in its encoding that can be detected using functions of hash (in this case, MD5). This same concept can be applied to files to ensure that they have not been modified. In fact, the use of such functions is very common in file integrity monitoring tools (File Integrity Monitoring – FIM):

In PCI DSS, until version 3.2.1, these types of functions were used for the secure storage of PAN data and to facilitate its subsequent comparison (using multidimensional storage structures called Tables of hash), if necessary for business reasons.

An important feature that these algorithms must meet in order to be classified as safe is the resistance to collision of hashes. A collision of hash occurs when two different inputs generate the same result of hash, which completely breaks with the concept of uniqueness between input and output that these functions should provide. A practical example of this scenario can be found in the work of Magnus Daum and Stefan Lucks, who created two different PostScript files that generate the same hash MD5, proving that this algorithm was susceptible to collision. The same example can be found with SHA-1.

Collision of hashes – Source: https://shattered.io/static/infographic.pdf

Another problem that these types of functions have is known as Rainbow Tables (rainbow tables). In this case, this type of attack against functions of hash is not related to the algorithm or its implementation itself, but in the number of hash These can be generated from different character combinations, called precomputed tables. In these cases, an attacker uses a list of strings with their linked hashes. Once you get a hash, compare the hash with the precomputed table, extracting its related value in clear. These types of attacks are common in repositories that contain passwords, existing online versions of those tables which make it possible to obtain the clear value from a hash, if that value has been pre-computed.

Example of precomputed hashe table

Likewise, traditional functions of hash do not allow to perform tasks of authentication (it is not possible to validate the origin of the hash). An example of this scenario can be found in software distribution. Imagine that a website publishes an executable and its associated hash value so that those who download it can verify that the file has not been manipulated. However, if an attacker violates that website and replaces the file with a malicious version, also changing its hash associated, the people who download it will not be able to validate (authenticate) if the file is correct or not, they will simply be able to verify that the downloaded version is the same as the one on the website, without noticing the change.

Integrity verification using traditional hash functions (no origin validation)

Because of these problems, algorithms MD4 and MD5 are not considered robust algorithms and SHA-1 should be used under restricted circumstances (seeWhat is the Council’s guidance on the use of SHA-1?‘).

What is a hash cryptographic with key (keyed cryptographic hash)?

To manage the innate problems of using algorithms of hash traditional functions are made use of hash cryptographic with key (keyed cryptographic hash). Unlike summary functions (digest) traditional, these types of functions allow validating the authenticity and integrity of messages. For this reason, they are also called "Message Authentication Codes» (Message Authentication Code – MAC) or ‘message integrity codes’ (Message Integrity Code – MIC).

In these functions, the parties involved previously share a secret key (pre-shared key) which ensures that only those in possession of such a key can verify that the message has not been tampered with and that it comes from a trusted counterparty. Using the example above in which a user downloads a file and verifies its integrity using the hash provided on the same website, if a cryptographic hash function with a key is used, a potential attacker who changes the file and the hash but do not have access to the pre-shared key could be easily identified.

Integrity and source verification using keyed hash functions

There are multiple mechanisms for the implementation of message authentication codes (MAC), whose main difference lies in the type of algorithm used:

Hash-based Message Authentication Code (HMAC)

The algorithm Hash-based Message Authentication Code (HMAC) is defined in the document NIST SP 800-224, Keyed-Hash Message Authentication Code (HMAC): Specification of HMAC and Recommendations for Message Authentication and its guidelines for use are described in NIST SP 107 Revision 1, Recommendation for Applications Using Approved Hash Algorithms.

Flow diagram HMAC. Source: NIST SP 800-224

The data processing used by this algorithm is as follows:

  • This algorithm uses a pre-shared key K.
  • This key is combined by xor with two blocks of predefined strings (ipad (0x36) and opad (0x5C)).
  • The block of data resulting from the xor with ipad is concatenated to the message M and its result is passed through a function of hash traditional H.
  • This resulting block is concatenated with opad and its result is again passed through a function of hash H, obtaining the result of HMAC.

The algorithm used in H It can be MD5 or any algorithm in the SHA-1, SHA-2 or SHA-3 family, although the NIST recommendation is to use SHA.

Cipher Block Chaining Message Authentication Code (CBC-MAC)

The CBC-MAC algorithm (or simply CMAC) is specified in the document NIST SP 800-38B, Recommendation for Block Cipher Modes of Operation: the CMAC Mode for Authentication.  Unlike HMAC which uses functions of hash Traditionally combined with a pre-shared key, CBC-MAC (CMAC) uses symmetric cryptographic algorithms (DES or AES) in mode Cipher Block Chaining (CBC) in conjunction with a pre-shared key to generate its output. The use of CBC guarantees an interdependence between the different blocks of the message, so that if there is a change in any bit of the text in clear, this change will have an effect on the final result allowing the identification of the manipulation.

Flow diagram CBC-MAC. Source: NIST SP 800-38B

The data processing used by this algorithm is as follows:

  • The message M is divided into different blocks (M1, M2 … Mn) depending on the block size used by the symmetric algorithm to be used. If the size does not match, the missing bytes are added using a predefined fill (padding).
  • The first data block of the message (M1) is encrypted with the K key using a symmetric algorithm and an initialization vector (IV) of zero.
  • This result is combined via xor with the second block of the message and its result is re-encrypted. This action is repeated until the final block.
  • The result T consists of the string of X bits located further to the left of the final block, depending on the size of the block used by the algorithm used.
  • In addition, two subkeys derived from the main key (K1 and K2) can be used to be combined via xor with the final block before being encrypted. This method is called Encrypt-last-block CBC-MAC (ECBC-MAC)
Other MAC algorithms

In addition to HMAC and CMAC there are other algorithms for the generation of MAC:

Importance of keys in MAC algorithms

By using pre-shared keys, MAC algorithms can authenticate the origin of the additional message to integrity validation. As can be seen, the security of this process lies in the pre-shared key, which is why it is essential that there is a correct management of the life cycle of such keys (generation, loading, export, transmission, storage, destruction) in all the parties involved in the same way as it is done when symmetric cryptography is used, although these functions do not offer protection of confidentiality.

Likewise, the specifications of the MAC algorithms assume that the keys to be used have been pre-shared between the parties involved in a secure manner, without describing any associated process, so that additional key transmission procedures may be necessary using clear components, shares or cryptograms prior to the use of MAC functions if the key to be used has not yet been shared.

Use of functions of hash cryptographic with key (keyed cryptographic hash) in PCI DSS

As of April 1, 2025, it is mandatory to implement the functions of hash cryptographic with key (keyed cryptographic hash) if an entity uses hash routines for PAN data protection (requirement 3.5.1.1 of PCI DSS v4.0.1). In this case:

  • The use of functions of hash traditional (non-keyed hash) is not allowed for protection of the entire PAN during storage, even if they use salts.
  • The function of hash cryptographic with key (keyed cryptographic hash) must protect the entire NAP.
  • Due to the criticality of the pre-shared keys in this process, the entity must implement all cryptographic key management controls defined in requirements 3.6 and 3.7, unless they are systems that only have access to a hash at the same time and do not store any other card data.
  • The keys used with these functions must be aligned with the concept of strong cryptography. In this case, robust algorithms with a key length that provides a minimum of 112 bits of effective key strength should be used (effective key strength) or 128 bits of strength for new deployments.
  • It is recommended that keys used with MAC algorithms be managed using a validated security cryptographic device, such as a hardware security module (Hardware Security Module – HSM).

Posted by David Acosta

Qualified Security Assessor (QSA) for PCI DSS, PCI PIN, PCI 3DS, P2PE and PCI TSP. CISSP, CISA, CISM, CRISC, C|EH, C|HFI.

One Comment

  1. Very clear explanation, thank you!

    Reply

Leave to Reply