Ok, got your point on encryption algorithms. Public encryptions scare me, as at least they offer hints on to how they're done, making TRUE hackers one step closer to knowing where to look to find the key, or what the basis of the algorithm is. Yeah, there are certainly good ones out there, thus I retract my blanket suggestion to roll your own. Dave's probably right.
However, before getting overly complicated, you could at least do some level of your own encryption without a lot of research that would prevent the lazy hacker from just ripping off your credit card numbers. Splitting them in two tables is not all that difficult to figure out. If someone wants them bad enough, they're still going to get them... Having access to your database is one thing, getting access to your encryption code, even if it is very basic is at least one larger step towards deterrence. As far as CFENCRYPT, I meant public in the fact that you can use CFDECRYPT to decrypt the values. -Bill brainbox ----- Original Message ----- From: "Dave Watts" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Sunday, January 27, 2002 1:18 PM Subject: RE: Best way to store credit cards in database? > > Roll your own encryption. I remember awhile back some > > posted their algorithm for encryption in CF, and it > > seemed pretty solid. If you use your own encryption > > scheme, it would be a lot harder for a hacker to decrypt > > the CC number. > > Yikes! I'd strongly recommend against writing your own encryption > algorithms, unless you're Bruce Schneier or the like. A good, > publicly-examined algorithm is your best bet. There's a reason why the > government takes so long to approve an encryption algorithm - public > examination by experts is the best way to find flaws within the algorithm. > > Here's a good quote on the subject: > http://www.counterpane.com/crypto-gram-9810.html#cipherdesign > > > Using a public standard (like cfencrypt) is not a > > very good solution. > > The problem with CFENCRYPT isn't that it's a public standard, but rather > that it uses a relatively weak encryption strength (that, along with the > fact that the key is probably stored somewhere within the application code > or environment). > > Dave Watts, CTO, Fig Leaf Software > http://www.figleaf.com/ > voice: (202) 797-5496 > fax: (202) 797-5444 > ______________________________________________________________________ Get Your Own Dedicated Windows 2000 Server PIII 800 / 256 MB RAM / 40 GB HD / 20 GB MO/XFER Instant Activation � $99/Month � Free Setup http://www.pennyhost.com/redirect.cfm?adcode=coldfusionb FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
