On 9/26/06, Richard Cooper <[EMAIL PROTECTED]> wrote: > Is this a worthwile positive step?
Honestly... no. If it was, everyone would do it. All you've done is make the hacker work just a little harder, and its clearly nowhere near anything regarded as an acceptable practice. Let me guess: the client wants the sales info dropped conveniently in their inbox? Telling them how crazy-stupid this is didn't resonate? I think it was pointed out somewhere in this thread that storing cc numbers at all is a violation of the merchant's card use agreement. If they are just going to do it anyway, make sure you are covered from the lawsuits that are likely to spring out of this horrible idea. On 9/25/06, Jon Clausen <[EMAIL PROTECTED]> wrote: > <cfscript> > key1 = myUniversalKey; > key2 = customerSpecificKey; > theKey = hash(key1 & key2); > algorithm = "AES"; > cardStored = encrypt(ccNumber,theKey,algorithm); > doSomething(cardStored); > </cfscrit> I don't understand what this is accomplishing, with respect to splitting up the keys. If this has to be used to encrypt and decrypt, then the keys are stored on the server, and you have gained none of the benefits of asymmetric keys (which are that the decryption key is not on the server at all and thus can't be swiped and used to decrypt the data). -- [EMAIL PROTECTED] Janitor, MSB Web Systems mysecretbase.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:254218 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
