Hey, I'm not trying to be hard on ya. But this is a big issue. Afte r all, even Microsoft now wants to actually care about security :)
----- Original Message ----- From: "Bill Davidson" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Sunday, January 27, 2002 9:03 PM Subject: Re: Best way to store credit cards in database? > Tell me how you really feel... > > Forget it - buy $16,000 PGP encryption software, or just leave your tables > split. ksuh is king of all cryptology. > > -Bill > brainbox > > ----- Original Message ----- > From: <[EMAIL PROTECTED]> > To: "CF-Talk" <[EMAIL PROTECTED]> > Sent: Sunday, January 27, 2002 4:57 PM > Subject: FW: Best way to store credit cards in database? > > > > >Ok, got your point on encryption algorithms. Public encryptions scare > me, > > >as at least they offer hints on to how they're done, making TRUE hackers > > one > > >step closer to knowing where to look to find the key, or what th e basis > of > > >the algorithm is. > > > > Wrong. > > > > You can think about what makes a good encryption scheme as: > > > > Give everybody the plans to your encryption method. > > Give everybody the means to use your encryption method. > > > > If they can't break your encryption even if they know all this, t hen > you've > > come up with a (somewhat) secure scheme. > > > > > > >However, before getting overly complicated, you could at least d o some > > level > > >of your own encryption without a lot of research that would prev ent the > > lazy > > >hacker from just ripping off your credit card numbers. Splittin g them in > > >two tables is not all that difficult to figure out. > > > > NEVER EVER make your own ecryption scheme. How is a half-assed encryption > > scheme better than no encryption at all (and trust me, NO ONE on this list > > could even make a half-assed encryption scheme, let alone somethi ng that > was > > solid)? And are you hoping that only "lazy" hackers attack your system? > > > > >If someone wants them > > >bad enough, they're still going to get them... Having access to your > > >database is one thing, getting access to your encryption code, e ven if it > > is > > >very basic is at least one larger step towards deterrence. > > > > If you encryption is "basic" then a hacker won't need your encryp tion > code. > > Brute-force attack will decrypt it in a manner of seconds. > > > > You're missing the point of encryption. Yes, all encryption sche mes are > > breakable. It's how long it takes to decrypt it before the encry pted > > information becomes useless. If it takes a hacker 100 years to d ecrypt > your > > CC numbers, you're doing fine, because all the users of those cre dit cards > > will be dead and hence those CC numbers will be invalid. > > > > >As far as CFENCRYPT, I meant public in the fact that you can use > CFDECRYPT > > >to decrypt the values. > > > > All good encryption schemes have their method of decryption as pu blic. > All > > bad encryption schemes have their method of decryption as private . > > > > -Bill > > brainbox > > > > ----- Original Message ----- > > From: "Dave Watts" <[EMAIL PROTECTED]> > > To: "CF-Talk" <[EMAIL PROTECTED]> > > Sent: Sunday, January 27, 2002 1:18 PM > > Subject: RE: Best way to store credit cards in database? > > > > > > > > Roll your own encryption. I remember awhile back some > > > > posted their algorithm for encryption in CF, and it > > > > seemed pretty solid. If you use your own encryption > > > > scheme, it would be a lot harder for a hacker to decrypt > > > > the CC number. > > > > > > Yikes! I'd strongly recommend against writing your own encrypti on > > > algorithms, unless you're Bruce Schneier or the like. A good, > > > publicly-examined algorithm is your best bet. There's a reason why the > > > government takes so long to approve an encryption algorithm - p ublic > > > examination by experts is the best way to find flaws within the > algorithm. > > > > > > Here's a good quote on the subject: > > > http://www.counterpane.com/crypto-gram-9810.html#cipherdesign > > > > > > > Using a public standard (like cfencrypt) is not a > > > > very good solution. > > > > > > The problem with CFENCRYPT isn't that it's a public standard, b ut rather > > > that it uses a relatively weak encryption strength (that, along with the > > > fact that the key is probably stored somewhere within the appli cation > code > > > or environment). > > > > > > Dave Watts, CTO, Fig Leaf Software > > > http://www.figleaf.com/ > > > voice: (202) 797-5496 > > > fax: (202) 797-5444 > > > > > > > > > > ___________________________________________________________________ ___ > Get Your Own Dedicated Windows 2000 Server > PIII 800 / 256 MB RAM / 40 GB HD / 20 GB MO/XFER > Instant Activation · $99/Month · Free Setup > http://www.pennyhost.com/redirect.cfm?adcode=coldfusionb > FAQ: http://www.thenetprofits.co.uk/coldfusion/faq > Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ > Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists ______________________________________________________________________ Get Your Own Dedicated Windows 2000 Server PIII 800 / 256 MB RAM / 40 GB HD / 20 GB MO/XFER Instant Activation · $99/Month · Free Setup http://www.pennyhost.com/redirect.cfm?adcode=coldfusionb FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
