At 01:18 PM 1/27/02 -0500, you wrote: > > Roll your own encryption. I remember awhile back some > > posted their algorithm for encryption in CF, and it > > seemed pretty solid. If you use your own encryption > > scheme, it would be a lot harder for a hacker to decrypt > > the CC number. > >Yikes! I'd strongly recommend against writing your own encryption >algorithms, unless you're Bruce Schneier or the like. A good, >publicly-examined algorithm is your best bet. There's a reason why the >government takes so long to approve an encryption algorithm - public >examination by experts is the best way to find flaws within the algorithm. > >Here's a good quote on the subject: >http://www.counterpane.com/crypto-gram-9810.html#cipherdesign > > > Using a public standard (like cfencrypt) is not a > > very good solution. > >The problem with CFENCRYPT isn't that it's a public standard, but rather >that it uses a relatively weak encryption strength (that, along with the >fact that the key is probably stored somewhere within the application code >or environment).
Something that people need to understand about encryption is that the algorithm may not seem to have flaws to a novice but has huge flaws to an expert. My best friend specializes in cryptography. (He's a security admin and gives encryption lectures, although he lectures on a small scale.) There are many tools that can decrypt your encrypted information without access to the encryption or decryption scheme. If your encryption algorithm isn't strong enough to stand up to those publicly available decryption tools, encryption is not going to stop someone who has a clue about decryption. There are tools available that combine the other tools and you just plug in the information and let it do the work for you. The best bet for storing credit cards in a database is public/private key encryption with the private key stored on a different computer, preferably behind a serious firewall. It does not matter that the encryption scheme is public-- it stands up to the hacking tools. The encryption can be broken, but it takes such a huge number of hours of computer processing that it makes it too expensive to be worth a hacker's time. This is really the issue with any encryption scheme. Any scheme can eventually be broken by a computer-- the question is how many hours of processing time will it take to break it. Keep in mind that the hacker can submit an order first and will then have data to compare against in the database, making it easier to detect when the scheme has been broken. The worst thing you can do is underestimate how smart hackers really are. If they're really good and really smart, it still isn't worth their time to hack some encryption schemes. Now available in a San Francisco Bay Area near you! http://www.blivit.org/mr_urc/index.cfm http://www.blivit.org/mr_urc/resume.cfm ______________________________________________________________________ Why Share? Dedicated Win 2000 Server � PIII 800 / 256 MB RAM / 40 GB HD / 20 GB MO/XFER Instant Activation � $99/Month � Free Setup http://www.pennyhost.com/redirect.cfm?adcode=coldfusionc FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
