That's a pretty interesting way to go about it. I had developed something very similar for storing account information (CC, ACH, etc) securely within a database. The only real difference was my use of Rijndael (AES) over Blow/TwoFish. Crypt::CBC rocks. The problem that was run into is that the key had to be somewhere that either the java/ms/mp sites could access in order to decode for the necessary functions... thus the birth of an application server. Using SOAP setup (wish Apache::SOAP worked on mp2)... to do all of the passing back and forth. All of this to let people donate money to a few things I run. In the end, my little tool added some features like creating fixed length one-way hashes to encrypt data of any length. This resolved issues I had with unixcrypt and its strength for passwords of short length and allowed for passphrases (40 character passwords anyone?) to operate more cleanly. That part of the tool would be an excellent replacement for the current Apache::AuthDBI... as it also has some bits allowing users to reset their passwords, and other parts that allow for account lockout. I've been thinking of adding some basic sessions stuff in as well (maybe link to Apache::Session)... anyone want to help me get it in CPAN?
Where I work now (A Bank).... I work in Data Security. Of all things, I do Application Security. Though a great deal of time is spent on reviewing things relating to how someone on the outside may cause problems, my biggest challenge will always be keeping it secure from the inside. The vast majority of major break-ins done on things like credit card databases typically involve someone on the inside divulging too much information or actually helping to carry out the nefarious tasks. I suppose for most places it's just a matter of time.... but doing the absolute best you can to insure security should help at least make the target on your back less desirable to shoot. -----Original Message----- From: mock [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 11, 2004 1:59 AM To: Geoffrey Young Cc: Modperl List Subject: Re: APR::Base64 uses This is about to go out to CPAN, but since it seems there is some question as to how to do this, I'll send it out a little early. Attached is a module for safely encrypting and storing credit cards using the Business::OnlinePayment interface. It uses a public RSA key and Crypt::OpenSSL::RSA to encrypt a randomly generated Blowfish symetric key, which is used with Crypt::CBC to encrypt the creditcard details. Also included is a module for reversing the transaction given the RSA private key. This allows one to store creditcards safely on the server, by not putting the private RSA key on the same machine. To retrieve the cards, simply pull the data to an offline machine, and decrypt using the RSA private key. Assuming you aren't an idiot and leave the private key somewhere internet accessible, this should be as proof against hackers as any other credit card processing. enjoy mock -- Report problems: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html List etiquette: http://perl.apache.org/maillist/email-etiquette.html
