> When apache is serving a ssl connection, I assume that everything
> sent back and forth between the server and the client is encrypted.
> I want an mod_perl script to encrypt/decrypt credit card numbers
> obtained over the ssl connection for storage in a db on the server.
> Is there any access to the same routines that apache is using for the
> encryption or do I have to use some other module. If I have to use
> another module, what would be a good choice?
You could use either an asymmetric cipher or a symmetric cipher.
An example of the former is Crypt::RSA (Crypt::DSA is another, but DSA is
used only for signing/verification, not for encryption/decryption).
A good, fast example of the latter is Crypt::Blowfish. Used together with
Crypt::CBC, you get Blowfish in CBC mode:
use Crypt::CBC;
my $cipher = Crypt::CBC->new('passphrase', 'Blowfish');
my $ciphertext = $cipher->encrypt('data');
my $plaintext = $cipher->decrypt($ciphertext);
In other words, you use the same passphrase to both encrypt and decrypt the
data (ie. symmetric).
Personally, I think I'd use a symmetric cipher, but the thing you have to be
careful of is leaving your passphrase around in plain text (eg. in a
script). Doing this negates many of the benefits of encrypting the data in
the first place. :) Sadly I'm not sure of the best answer to this dilemma.
bye,
Ben
