inveni0 - 4:56 pm on Apr 30, 2013 (gmt 0)
I'm enhancing the security of a website we're developing, and I want to add an extra layer of obfuscation to the already-PCI-compliant encryption we're using to store credit card numbers. The idea is to add an extra layer of protection, so that the numbers are more secure if the database is hacked by some means (which is happening more and more commonly around the web every day).
Currently, the numbers are encrypted and stored, but I want to use a dynamic key (different for every number) so that a batch of numbers can not be easily decrypted. (For instance, a hacker could, with relative ease, feed an array of encrypted numbers into a script that would compare all of them and reverse engineer the key accordingly, exposing all card numbers.)
By adding an extra layer of obfuscation and using a dynamic key that is dependent on a certain step within this layer of obfuscation, we hope to exponentially increase the amount of time it would take to crack the credit card number encryption.
My question is this: Where can we go to have skilled mathematicians and programmers attempt to reverse engineer the numbers?
I'd like to see how easily the obfuscated numbers can be reverse engineered (before being encrypted). This will help determine if the extra layer is helpful or harmful.