Matt, First of all, let me re-iterate what I said earlier in reply to the original post - that I think storing the cards in the database in any method is a bad idea.
The idea, in my example, is that one of the keys, the "customerSpecificKey" can be stored in the database (i.e. - the user's login id) and one key can be protected within the application codebase (the universal key) using private methods in CFC's or a sourceless deploy of the template containing the universal key. It's a "poor man's" form of asymmetric encryption. To your point, though, asymmetric encryption using PGP, GNUPG, or another alternative would be an even more secure way to go if you have full access to the server. Jon On Sep 26, 2006, at 10:39 AM, Matt Robertson wrote: > On 9/25/06, Jon Clausen wrote: >> <cfscript> >> key1 = myUniversalKey; >> key2 = customerSpecificKey; >> theKey = hash(key1 & key2); >> algorithm = "AES"; >> cardStored = encrypt(ccNumber,theKey,algorithm); >> doSomething(cardStored); >> </cfscript> > > I don't understand what this is accomplishing, with respect to > splitting up the keys. If this has to be used to encrypt and decrypt, > then the keys are stored on the server, and you have gained none of > the benefits of asymmetric keys (which are that the decryption key is > not on the server at all and thus can't be swiped and used to decrypt > the data). ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:254263 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
