I agree. It is hardly worth the effort of storing a credit card
number for a customer if you can't run a transaction for the customer.
Also, I think Michael and Chad convinced me to do Java-domain
encryption. I think Chad said they had included the algorithms in
Java 6. However, I am now caught up in another sysadmin problem with
OSX and Java 6. (I can't get Java 6 to run yet). Still working on it.
Joe
On Feb 7, 2009, at 2:15 PM, Andrus Adamchik wrote:
One-way hashing works great for passwords (and is in fact THE way to
store passwords in the DB). It doesn't work for anything else, as
usually you do want to have access to the data you've encrypted.
Andrus
On Feb 7, 2009, at 8:50 PM, Dov Rosenberg wrote:
One of our customers who is big into security had a pretty good
idea. Their
concern was that if the sensitive data could be decrypted it was
vulnerable
and considered a security risk. They proposed using a one way
encryption
algorithm and then only comparing the hash values of the sensitive
data -
not the actual data itself. I am not certain which algorithm they
were
talking about.
Dov Rosenberg
On 2/7/09 12:08 PM, "Michael Gentry" <[email protected]> wrote:
Here it is:
http://people.apache.org/~mgentry/Security_Manifesto.pdf
Joe had a few questions off-the-list (about how to do a query on an
encrypted value) and I'll try to update it soon, but that's the
current version I have.
Comments appreciated, as always.
mrg
