Hi Jamie, Essentially, the same principles apply in your case as the one I've outlined below - if credit card details are stored online and encrypted/decrypted using a key which is stored anywhere at all on your web server, anyone who compromises your server will have all the information they need to work out how to decrypt them. The only secure methods are a) don't store credit card details online, or b) encrypt them using a public-private key method, where the private key is stored completely offline and manual intervention by an administrator is required to perform decryption.
That link again: http://developer.perthweb.com.au ;) While I'm plugging the hell out of our products, we also have a Windows desktop decryption program, which is useful if you want to encrypt order details and email them to someone for offline processing. Kind of like PGP, but much much cheaper :) K. -- Kay Smoljak http://kay.smoljak.com > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf > Of Jamie Lawrence Jenner > Sent: Wednesday, 21 April 2004 5:15 PM > To: CFAussie Mailing List > Subject: [cfaussie] RE: Credit Card Encryption > > hello, > > I am creating an e commerce site at present and it allows the > public to > buy items from numerous shops. The users card details will > then be stored > online for 30 days, in which time, all retailers which the > customer bought > from are then allowed access to the credit card details to bill the > customer. Once all the retailers have billed the customer the > credit crad > details are destroyedimmediately. All of the credit card details are > stored within a seperate dsn and the site is ssl secured, but > i will also > need to encrypt them. What will be the most efficient way to > encrypt them > and how do i encrypt them? > > cheers in advance > > Jamie > > > Well, while I'm on the topic... :) > > > > Basically, if you're using a symmetrical encryption scheme > (that is, the > > same key is used to encrypt and decrypt the credit card > numbers), it is NOT > > secure. It's just too easy to break, and you need to store > the key somewhere > > on the server in order to encrypt and decrypt. The same > principle applies to > > complex obscufication systems (is that a word?) - if > someone compromises > > your server, they have ALL the information they need to > decrypt those credit > > card numbers. > > > > If, on the other hand, you use an asymmetric encryption > scheme - that is, a > > public key, which can be known to anyone, is used to > encrypt the data, and a > > private key, kept safe, offline and absolutely secure, is > used to decrypt > > the data - that *is* secure. If your server is compromised, > the attacker > > still does not have your private key, so they cannot > decrypt the data. > > Through the magic of the scheme, the private key cannot be > determined from > > either the public key OR the encrypted data. It's what PGP > is based on. > > > > The catch is, of course, that in order to perform the > decryption, a human > > needs to be on hand to enter the private key. If, as you > say, it's a monthly > > occurrence, then that's perfect. An admin logs in once a > month, enters the > > key over an SSL connection, and initialises the decryption > and processing > > process. The private key and decrypted numbers are never > stored anywhere > > except in the server's memory. > > > > Our CardCrypt CFX tag does 512, 1024 and 2048 bit > encryption. I had some > > stats once about the security of this - I can't find it > right now, but > > essentially a 512 bit RSA key was broken in a competition a > few years ago. > > It took a team of scientists in several different countries > seven solid > > months of processing on a whole bunch of computers. That > was a 512 bit key, > > and 1024 bit is exponentially harder to break. Your average > hacker is not > > going to do that for a simple credit card number :) > > > > If you want a simpler ordering system where the details are > encrypted and > > emailed to someone for processing, we also have a little > standalone Windows > > utility that allows you to enter your keys and decrypt bits > of text. Really > > handy... > > > > K. > > > > -- > > Kay Smoljak > > http://kay.smoljak.com --- You are currently subscribed to cfaussie as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] MXDU2004 + Macromedia DevCon AsiaPac + Sydney, Australia http://www.mxdu.com/ + 24-25 February, 2004
