At 09:34 PM 06/26/2001 -0700, MRossland wrote:
>Hi all,
>
>Here's my goal: To take information via a form, encrypt it with a duel key
>encryption, and then write that encrypted message to a text file for latter
>use. I also need to do this in such a way so that the server admin's can't
>read it (I work for a credit union, and regulations are stiff).
>
>Do anyone have any advice on how I could go about encrypting the data? I've
>looked at PGP, and the various Perl modules, but the private key is coded
>into the script, and so admin's could get at the data.
>
>I'm not sure that this is even possible :-(
I'm not sure if I'm misunderstanding what you're really trying to do, but
the private-key (in public-key encryption systems like PGP) has nothing to
do with the encryption of the message to the owner of the public-key. You
just have to keep your public-keyring on the server, and just encrypt your
data using that public-key. There's a few PGP modules on CPAN that you
could use to make this easier.
The only time you need the private key is when you need to DE-crypt the
message...and that doesn't involve the server at all, so theres no security
risk. AFAIK, you do have to create a "dummy" private-keyID that corresponds
to the public-key on your server (at least thats the only way I could get
it to work with PGP 2.6.x)
Of course, this doesn't apply if you want to send /signed/ encrypted
messages, as that requires the presence of the private-key during the
encryption phase.
I run an online store for a conference & seminar recording company
(shameless plug - http://www.vwtapes.com), where we take SSL secured
orders, as well as encrypt the orders & creditcard data on the server end.
The script then emails our ordering department with the same PGP encrypted
order, whereupon they simply decrypt the message right in thier PGP-enabled
mail program. Easy as pie.
It's so simple that I just cant understand why mega-million dollar
e-commerce sites continue to have credit-card database "hacks" on thier
webservers. If a dorky cheap bastard who works for a mom & pop company like
me can do it, why can't they? We've gone 5 years without a single security
compromise...and looking at my server logs, it's definitely not because the
"script-kiddies" AREN'T trying.
This is all the more amazing, considering that our webstore is based on
Selena Sol's awful, Perl-4 based "Web Store" script :P (I'm rolling out a
totally revamped and redesigned site, using PHP, so dont laugh at my site
as it is :)
Hope this helps...Aloha,
mel
__________________________________________________________
mel matsuoka Hawaiian Image Productions
Chief Executive Alphageek (vox)1.808.531.5474
[EMAIL PROTECTED] (fax)1.808.526.4040
