David Green wrote: >On storing the information, I need to store the information in my table >after I have passed the text field through the cfx tag which will return a >encrypted text variable. I then store that value and the private key to my >table, Then any time I need the data I run it back through the cfx_text >tag with the private password or do I create new keys?
Hi David, You first need to understand the concepts of asymmetric encryption (ie, using two different keys). I wish I had a good link for this - maybe I should create one :) Firstly, I'm not sure that your situation calls for a tag like TextCrypt. If you want your users to submit data, which is then encrypted and stored so that only an administrator can decrypt it (ie, you) then the tag suits your needs. If you want people to be able to decrypt their own data at will (ie to edit or view it) then what you need is either just an SSL certificate (to protect the data while it's being transmitted) and perhaps a symmetric encryption scheme such as the one built into CF (ie, the same key is used to encrypt and decrypt the data, more like a password). Basically, in asymmetric encryption a key pair is generated which always go together. The private key must always stay private. That means you don't even store it on the server or in the database, on your own machine only and even then only if you trust that keeps it secure. The matching public key can be stored on the server or indeed anywhere, as anything encrypted with it can ONLY be decrypted using the private key, and the private key CANNOT be determined using the public key. If you lose your private key OR your public key, you're out of luck. A 512 bit RSA key was broken (http://www.cw.com.hk/Features/f990831002.htm) by a team of scientists using 292 individual computers at 11 different sites around the world. It took them seven months. A 1024 bit key (the recommended minimum) is exponentially more difficult to factor. All data is encrypted using the public key. It can then be decrypted using the private key. The way I usually do this on sites is to have an SSL-protected admin area, where the administrator can log in, enter his private key (paste it into a form, it's about 300 characters for a 1024 bit key) which is then saved as a session variable. The idea is that the private key and any decrypted data is never stored anywhere except in the server's memory. Wow, this has been a long post. If it sounds like overkill for what you want to protect, it probably is :) I've only ever used it for credit card numbers. If you don't think it's overkill and you have any more questions, please fire away (my email is [EMAIL PROTECTED]). Kay. (I work for PerthWeb) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
