|
|
Posted by laredotornado@zipmail.com on 02/09/07 05:36
On Feb 8, 8:24 pm, "shimmyshack" <matt.fa...@gmail.com> wrote:
> On 9 Feb, 00:54, "laredotorn...@zipmail.com"
>
> <laredotorn...@zipmail.com> wrote:
> > Hi,
>
> > I'm trying to send emails that contain credit card numbers and so I
> > would like to encrypt those emails. Knowing little about how this
> > works, is there a PHP module out there that does this? I assume the
> > client must have something installed on his email client to interpret
> > the emails?
>
> > I'm using PHP 4.4.4 with Apache 2.2.
>
> > Thanks, - Dave
>
> to do this you can use a public/private key pair.
> Go ask your client to create one first at thawte (they must do this to
> install the private key into their system, importing either into
> thunderbird, (or "IE" so that outlook can use it)
> Thawte offer freemail certs
>
> You can use another method, once you have these and in a form where
> they can be used by php.
>
> check out the manual for openssl_pkcs7_encrypt, it has examples and
> working code.
>
> It's basically this:
> make and save the file: body_of_email.txt
>
> $public_key = file_get_contents("/var/www/vhost/private/
> public_cert.pem");
>
> openssl_pkcs7_encrypt(
> //body of email to be encrypted
> "/var/www/vhost/private/body_of_email.txt",
> //the output of this function will be saved to encrypted_body.txt
> "/var/www/vhost/private/encrypted_body.txt",
> //use the public key to encrypt, this email can be encrypted by
> anyone,
> //but only read by the one with the corresponding private key
> $public_key,
> //array to do with headers for the email that will be sent
> array(
> "To" => "client <client@needs_credit_card_info.org>",
> "From" => "webserver <php_scr...@server.com>",
> "Subject" => 'plain text unencrypted subject ')
> ,0
> ,1)
> )
> //get the sendmail executable path
> $sendmail_exe = '/path/to/sendmail/sendmail.exe -t';
> //send the encrypted_body.txt
> exec($sendmail_exe . ' < "/var/www/vhost/private/
> encrypted_body.txt"');
>
> encryption can occur from anyone (they use public key) to one with
> private key.
> This means that your client needs the private key and that the
> webserver needs the public one, you will need to export the public key
> from the keypair you will generate. (the keypair is the one you will
> have protected with a password)
> Dont end up storing both the private and public keys on the server or
> this reduces to a dictionary attack on the keypair to get hold of the
> private key. Also this means your cient should choose a _strong_
> password to encrypt the pair, and definately NOT his/her pop or smtp
> password!!!
> The subject is always sent in plain text.
> If you decide to sign and encrypt, which isnt needed you will need to
> make sure that the email comes from the email address assocaited with
> the public key, so you dont get weird errors.
>
> Of course you can do this differently, using gnu privacy guard.
> Encrypt the body, and send over normal mail, the email client will
> need something like enigmail / gpg addon. Easy on thunderbird.
> I prefer certs as they are just cooler, and dont require special
> client functionality. If you decide to go with Thawte pick a decent
> bit length for your cert and try not to use the same password to
> protect the key pair as you do to log onto Thawte itself, or firefox/
> ie might save a copy of this.
>
> Personally I use a encrypted password database from sourceforge:http://keepass.sourceforge.net/
> orhttp://passwordsafe.sourceforge.net/
> to store passwords associated with certs.
Thanks for this thorough response. We have bought a 128-bit SSL cert
from Thawte for our HTTPS. Will this suffice? I'm so new to this, I
hope I'm asking the right questions. - Dave
Navigation:
[Reply to this message]
|