On Wed, Jul 25, 2001 at 07:12:17PM +0200, Alexander Skwar wrote:
[snip]
> 'encryption'? Hmm, how about: none? If you don't need to reconstruct
> the cc#, md5 will be good.
Indeed. That is however rarely the case with credit card numbers.
> However, if you need to reconstruct it, nothing is safe. And that's
> quite simple:
> a) You need to get access to the MySQL server. Impossible to do from
> the outside if '--skip-networking' is used.
> b) So, only possible from the localhost. This means, there must have
> been a break in to the MySQL server. Once he's on the server, he can do
> anything he likes. He can also read the source code of your PHP/PERL
> pages. There the password will be stored, somewhere. Once the password
> has been found (which is nothing but a matter of time), your encryption
> is broken.
That is only true for a parallel cipher. A non-parallel cipher (like
PGP) allows you to store just the public key on the server, and have
the private key stored somewhere else save, on a way more secured box
that actually handles the transactions.
Greetz, Peter
--
Against Free Sex! http://www.dataloss.nl/Megahard_en.html
---------------------------------------------------------------------
Before posting, please check:
http://www.mysql.com/manual.php (the manual)
http://lists.mysql.com/ (the list archive)
To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
