PCI Speak: SHA Versus AES

In one of the more awkward consulting situation, I was sitting in a room where the technical lead of my client, along with his impressionable junior staffs started talking about Requirement 3 of PCI, which we all know is the mother of all inconvenience – Secure storage.

Obviously we reached a point where I was talking about strong encryption and recommended AES-256. The technical lead sagely says that he prefers SHA256 instead of AES. There was a slightly muted pause when he said that, and while his juniors all nodded equally sagely, I was caught whether to respond and possibly correct him in front of his juniors or just mutter an agreement.

You see, AES and SHA are fundamentally used for different things. One is used for hiding and encrypting, the other is used for verifying. SHA is a hash function like the old MD5, while a proper comparison of AES could be 3DES. SHA has no key. Once you SHA’ed it, it’s SHA’ed for life. AES can still be decrypted, and obviously there can be key management in place for it.

I decided to correct him, by saying that these are two different things altogether. However, he still insisted SHA could be used as an encryption. I am pondering on the day that he decide to SHA his entire database (if that can be done), and I guess we’ll have a very large number of hashes to verify with. We are still in discussion over this.

Leave a Reply