I want to use the mcrypt functions to encrypt credit card numbers for storage in a mysql database, which mycrypt does admirably:
$key = "this is a secret key"; $input = "Let us meet at 9 o'clock at the secret place."; $iv = mcrypt_create_iv (mcrypt_get_iv_size (MCRYPT_RIJNDAEL_256, MCRYPT_MODE_CBC), MCRYPT_RAND); $encrypted_data = base64_encode(@mcrypt_encrypt (MCRYPT_RIJNDAEL_256 , $key, $input, MCRYPT_MODE_CBC,$iv)); The trouble is - the key and the IV. Both of these have to be available in the merchants administration for retrieval of the credit card, thus need to be stored somewhere - most likely on the server or in a database. Here is the problem - if someone gets to the database and retrieves the encrypted credit card, the chances are that they are able to also retrieve the script that did the encryption, thus find out where the key and IV are stored, making it simple to decrypt the credit card for them. The only solution that I can see is to use an asymetric encryption and have the merchant enter the decryption key at the time of credit card retrieval - but that is unrealistic for a User Interface point of view. So - the only other thing that I can see to do is have a compiled program, bound to the server, that has the key compiled into the program. I am not a C programmer - so this is also not exactly possible. Does anyone else have any answers or has anyone else run into this? Is this just a general problem with doing encryption through PHP as opposed to a compiled binary? Can anyone suggest a solution to this problem? Thanks :) -- Cheers Mike Morton **************************************************** * * E-Commerce for Small Business * http://www.dxstorm.com * * DXSTORM.COM * 824 Winston Churchill Blvd, * Oakville, ON, CA L6J 7X2 * Tel: 905-842-8262 * Fax: 905-842-3255 * Toll Free: 1-877-397-8676 * **************************************************** "Indeed, it would not be an exaggeration to describe the history of the computer industry for the past decade as a massive effort to keep up with Apple." - Byte Magazine Given infinite time, 100 monkeys could type out the complete works of Shakespeare. Win 98 source code? Eight monkeys, five minutes. -- NullGrey -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
