hello, I am creating an e commerce site at present and it allows the public to buy items from numerous shops. The users card details will then be stored online for 30 days, in which time, all retailers which the customer bought from are then allowed access to the credit card details to bill the customer. Once all the retailers have billed the customer the credit crad details are destroyedimmediately. All of the credit card details are stored within a seperate dsn and the site is ssl secured, but i will also need to encrypt them. What will be the most efficient way to encrypt them and how do i encrypt them?
cheers in advance Jamie > Well, while I'm on the topic... :) > > Basically, if you're using a symmetrical encryption scheme (that is, the > same key is used to encrypt and decrypt the credit card numbers), it is NOT > secure. It's just too easy to break, and you need to store the key somewhere > on the server in order to encrypt and decrypt. The same principle applies to > complex obscufication systems (is that a word?) - if someone compromises > your server, they have ALL the information they need to decrypt those credit > card numbers. > > If, on the other hand, you use an asymmetric encryption scheme - that is, a > public key, which can be known to anyone, is used to encrypt the data, and a > private key, kept safe, offline and absolutely secure, is used to decrypt > the data - that *is* secure. If your server is compromised, the attacker > still does not have your private key, so they cannot decrypt the data. > Through the magic of the scheme, the private key cannot be determined from > either the public key OR the encrypted data. It's what PGP is based on. > > The catch is, of course, that in order to perform the decryption, a human > needs to be on hand to enter the private key. If, as you say, it's a monthly > occurrence, then that's perfect. An admin logs in once a month, enters the > key over an SSL connection, and initialises the decryption and processing > process. The private key and decrypted numbers are never stored anywhere > except in the server's memory. > > Our CardCrypt CFX tag does 512, 1024 and 2048 bit encryption. I had some > stats once about the security of this - I can't find it right now, but > essentially a 512 bit RSA key was broken in a competition a few years ago. > It took a team of scientists in several different countries seven solid > months of processing on a whole bunch of computers. That was a 512 bit key, > and 1024 bit is exponentially harder to break. Your average hacker is not > going to do that for a simple credit card number :) > > If you want a simpler ordering system where the details are encrypted and > emailed to someone for processing, we also have a little standalone Windows > utility that allows you to enter your keys and decrypt bits of text. Really > handy... > > K. > > -- > Kay Smoljak > http://kay.smoljak.com > > > > Some transaction occur on a montly basis and we need > > to store credit card for future reference. We have encrypted > > the card numbers on entry to the DB, using a KEY value stored > > as an application variable in CF. > > > > As the KEY needs to be protected and not stored on the server, > > how can this be loaded into the application scope? Where would > > we store the KEY, outside of the server and also enabling > > CF to access it on application startup? --- You are currently subscribed to cfaussie as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] MXDU2004 + Macromedia DevCon AsiaPac + Sydney, Australia http://www.mxdu.com/ + 24-25 February, 2004
