At 02:54 AM 10/5/2001, you wrote:
>I am hoping that someone in this group may be able to help me. The company
>I work for is building a service-based ecommerce website. Because this site
>sells website space to other customers, I need to charge these customers
>monthly for the services we are providing. Therefore, I believe I am going
>to have to store the customer's credit card numbers in order to charge their
>cards every month for their continued use of our services.
While I havn't actually *used* it yet, a while back I wrote a JAVA custom
tag wrapper around the CRYPTIX java encryption library (opensource, free),
to allow me to perform RSA encryption on, well, whatever I want. Basic
idea goes like this...
*Setup (done once, lasts forever)*
Website administrator logs into administration area over
SSL connection
Administrator clicks "make key pair"
CFX_CRYPTIX makes an RSA key pair, I'm using 1024bit, but
that's configurable of course
Coldfusion takes the key pair, it stores the private key
in a cookie in the administrators browser, the public key in the database
Administrator is also shown the private key and asked to
copy it into a text file as a backup incase the cookie is purged by browser
(a "reload cookie" function is provided in the administration area)
*Encryption (when a Credit Card number is received)*
The transaction is of course done over SSL, user sends CC
details
Coldfusion retrieves public key from database
CFX_CRYPTIX takes public key and credit card number,
encrypts with public key and returns encrypted string
Coldfusion stores encrypted string in the database
*Decryption (when card number is needed)*
Administrator logs into site (SSL again) and clicks "give
me card details" (something like that :-))
Coldfusion retrieved cookie containing private key
CFX_CRYPTIX takes encrypted string, and private key,
decrypts to plain text (credit card number in this case)
Coldfusion displays credit card number (or does whatever else)
Like I said, I haven't actually used it in practice yet, but the tag does
work (I'm no security expert though).
See cryptix at http://www.cryptix.org/docs/faq.html
I'm not sure wether it is something I want to distribute (liability and all
that jazz), but if anybody is interested I'll think about it (if I do it'll
be free and open source).
----------
James Sleeman
Innovative Media Ltd
Phone: (03) 377 6262
http://www.websolutions.co.nz/
CAUTION: The information contained in this email message is confidential
and may be legally privileged. If the reader of this message is not the
intended recipient you are notified that any use, dissemination,
distribution or reproduction of this message is prohibited. If you have
received this message in error please notify the sender immediately and
destroy the original message and any attachments.
Views expressed in this communication may not be those of Innovative Media
Ltd.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
