|
|
Posted by Richard Lynch on 02/07/05 20:31
Dan Trainor wrote:
> Daniel Bowett wrote:
>> Is there any way I can use public/private key encryption in php in a
>> similar way to mcrypt.
>>
>> I have got php encrypting the data using gnugp but need to automate the
>> decrytping element which is proving difficult because of the way the
>> password is passed.
>>
>
> While Daniel has brang up the subject of encryption, and I know that the
> other day we were talking about storing CC numbers in a database - i
> don't think we touched on storing CCs encrypted with a gpg-stype
> encryption. Is this generally acceptable at all, or do you developers
> still not store CC numbers in any way, shape or form in a database?
I wouldn't store them at all.
If you encrypt them with a two-way algorithm, the private key is your weak
link.
SOMEBODY can always find a way to get to that private key.
You have to invest a TON of money and resources to make it SOOOO difficult
to get to the private key, that it's easier/cheaper for the Bad Guys to
get people's credit card numbers some other way.
If you are using one-way encryption, then you're only using it to verify
that somebody has access to that CC number, and you might as well use a
password the user can choose/change -- with suitable restrictions on the
quality of that password -- rather than risk transmitting the CC #
needlessly.
You need a REALLY good reason, and a REALLY REALLY REALLY good security
audit of your entire process, on a routine basis, with all software,
hardware, physical access, network access, under close-up scrutiny if you
store CC numbers in the database.
That's a reason why almost nobody does it, and a reason why we all just
let the banks/merchant-vendors worry about that stuff.
Sometimes it really is best to let a specialist handle things.
This is one of those times.
--
Like Music?
http://l-i-e.com/artists.htm
Navigation:
[Reply to this message]
|