What would be an appropriate strength for the key-encrypting key (KEK) used to protect an AES 128-bit data-encrypting key (DEK)

What would be an appropriate strength for the key-encrypting key (KEK) used to protect an AES 128-bit data-encrypting key (DEK)
A . DES256
B . RSA512
C . AES 128
D . ROT 13

View Answer

Answer: C

Explanation:

The key-encrypting key (KEK) is used to protect the data-encrypting key (DEK) from unauthorized access or disclosure. The KEK should have a strength that is equal to or greater than the DEK, to prevent a weaker link in the encryption chain. According to the PCI Card Production Logical Security Requirements, section 4.1.1, “The key-encrypting key (KEK) must be at least as strong as the data-encrypting key (DEK) it protects.” Furthermore, section 4.1.2 states, “The KEK must be generated using a secure random number generator (RNG) that meets the requirements of NIST SP 800-90A or equivalent.” AES 128 is a symmetric encryption algorithm that uses a 128-bit key and meets the NIST standards. Therefore, it would be an appropriate strength for the KEK used to protect an AES 128-bit DEK. The other options are either weaker or asymmetric encryption algorithms, which are not suitable for the KEK. References: PCI Card Production Logical Security Requirements, [NIST SP 800-90A]