|
|
Posted by shimmyshack on 02/09/07 10:18
On 9 Feb, 05:36, "laredotorn...@zipmail.com"
<laredotorn...@zipmail.com> wrote:
> On Feb 8, 8:24 pm, "shimmyshack" <matt.fa...@gmail.com> wrote:
>
>
>
> > On 9 Feb, 00:54, "laredotorn...@zipmail.com"
>
> > <laredotorn...@zipmail.com> wrote:
> > > Hi,
>
> > > I'm trying to send emails that contain credit card numbers and so I
> > > would like to encrypt those emails. Knowing little about how this
> > > works, is there a PHP module out there that does this? I assume the
> > > client must have something installed on his email client to interpret
> > > the emails?
>
> > > I'm using PHP 4.4.4 with Apache 2.2.
>
> > > Thanks, - Dave
>
> > to do this you can use a public/private key pair.
> > Go ask your client to create one first at thawte (they must do this to
> > install the private key into their system, importing either into
> > thunderbird, (or "IE" so that outlook can use it)
> > Thawte offer freemail certs
>
> > You can use another method, once you have these and in a form where
> > they can be used by php.
>
> > check out the manual for openssl_pkcs7_encrypt, it has examples and
> > working code.
>
> > It's basically this:
> > make and save the file: body_of_email.txt
>
> > $public_key = file_get_contents("/var/www/vhost/private/
> > public_cert.pem");
>
> > openssl_pkcs7_encrypt(
> > //body of email to be encrypted
> > "/var/www/vhost/private/body_of_email.txt",
> > //the output of this function will be saved to encrypted_body.txt
> > "/var/www/vhost/private/encrypted_body.txt",
> > //use the public key to encrypt, this email can be encrypted by
> > anyone,
> > //but only read by the one with the corresponding private key
> > $public_key,
> > //array to do with headers for the email that will be sent
> > array(
> > "To" => "client <client@needs_credit_card_info.org>",
> > "From" => "webserver <php_scr...@server.com>",
> > "Subject" => 'plain text unencrypted subject ')
> > ,0
> > ,1)
> > )
> > //get the sendmail executable path
> > $sendmail_exe = '/path/to/sendmail/sendmail.exe -t';
> > //send the encrypted_body.txt
> > exec($sendmail_exe . ' < "/var/www/vhost/private/
> > encrypted_body.txt"');
>
> > encryption can occur from anyone (they use public key) to one with
> > private key.
> > This means that your client needs the private key and that the
> > webserver needs the public one, you will need to export the public key
> > from the keypair you will generate. (the keypair is the one you will
> > have protected with a password)
> > Dont end up storing both the private and public keys on the server or
> > this reduces to a dictionary attack on the keypair to get hold of the
> > private key. Also this means your cient should choose a _strong_
> > password to encrypt the pair, and definately NOT his/her pop or smtp
> > password!!!
> > The subject is always sent in plain text.
> > If you decide to sign and encrypt, which isnt needed you will need to
> > make sure that the email comes from the email address assocaited with
> > the public key, so you dont get weird errors.
>
> > Of course you can do this differently, using gnu privacy guard.
> > Encrypt the body, and send over normal mail, the email client will
> > need something like enigmail / gpg addon. Easy on thunderbird.
> > I prefer certs as they are just cooler, and dont require special
> > client functionality. If you decide to go with Thawte pick a decent
> > bit length for your cert and try not to use the same password to
> > protect the key pair as you do to log onto Thawte itself, or firefox/
> > ie might save a copy of this.
>
> > Personally I use a encrypted password database from sourceforge:http://keepass.sourceforge.net/
> > orhttp://passwordsafe.sourceforge.net/
> > to store passwords associated with certs.
>
> Thanks for this thorough response. We have bought a 128-bit SSL cert
> from Thawte for our HTTPS. Will this suffice? I'm so new to this, I
> hope I'm asking the right questions. - Dave
any key pair will do for encrypting data,
for instance:
ssh-keygen -t dsa -b 2048
will get you a pair,
the process at thawte takes you through the simple steps needed.
Recommend you listen to Steve talking about S/MIME
http://www.grc.com/sn/SN-037.htm
see the mp3 at the top, he explains it well, and from the point of
view of someone coming to grips with it.
Encryption of data is done using a temporary 128 bit key which is then
in turn encrypted using the larger slower 2048bit public key, the
encrypted 128bit key is then sent with the encrypted data, so the
receiver (the one with the private key) can decrypt the small 128bit
key and use that to decrypt the data.
128 is so called asyncronous - same key for both en and decryption,
its fast.
the key pairs are use merely to encrypt the encryption key which is
only a small string of characters, so even though the larger key is
slow, its fast at encrypting such a small string. Later the other
large key from the pair decrypted the small 128bit string and that is
used.
I might have just repested myself but anyway, go check out Steve and
then get yourself off to Thawte for a simple easy way to start
creating S/MIME, you can begin by using the certsinside your mail
client like outlook and thunderbird, requires no additional software,
only the import of the key.
Remember though the one who the key pair belongs to, will have the
private key installed in their email client so that they can decrypt
the data sent to them from your php script which uses the public key.
So you will have to get your client to instll the key, and you might
find it easier to talk your client through the key making process on
thawte while they are on the machine they will be receiving the emails
from.
Also sending emails from one to the other is usually enough for the
email clients to become aware of the key they need to be using.
good luck, the podcast, for the 3rd time, is well worth it.
Navigation:
[Reply to this message]
|