Re: mysql and credit cards

Wed, 25 Jul 2001 10:52:53 -0700 

So sprach »Alan Cox« am 2000-02-20 um 11:57:47 -0500 :
> Greetings: I was wondering if anyone has any ideas about the best way to
> store credit cards in a database ... and I'm not referring that much to the
> field type, but rather encrytption techniques.

'encryption'?  Hmm, how about: none?  If you don't need to reconstruct
the cc#, md5 will be good.
However, if you need to reconstruct it, nothing is safe.  And that's
quite simple:
a) You need to get access to the MySQL server.  Impossible to do from
the outside if '--skip-networking' is used.
b) So, only possible from the localhost.  This means, there must have
been a break in to the MySQL server.  Once he's on the server, he can do
anything he likes.  He can also read the source code of your PHP/PERL
pages.  There the password will be stored, somewhere.  Once the password
has been found (which is nothing but a matter of time), your encryption
is broken.
BUT: If you're using something like C or any other compiled language and
do not have the source code flying around and are sure that the password
cannot be decrypted from the binary, any symetrical encryption will
probably do.
The last also applies, if you use a program to decrypt the cc# which is
not stored on the same computer as the MySQL database.  But then you
need to worry about how to securly transfer the data from the MySQL
database to the computer running the decryption program.

So, overall, I'd say: Don't hassle with encryption: It's not worth it.

Alexander Skwar
-- 
How to quote:   http://learn.to/quote (german) http://quote.6x.to (english)
Homepage:       http://www.digitalprojects.com   |   http://www.iso-top.de
   iso-top.de - Die günstige Art an Linux Distributionen zu kommen
                Uptime: 2 days 17 hours 44 minutes

---------------------------------------------------------------------
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/           (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

Reply via email to