Encrypt PHP scripts (there pretty cheap to).
On Thu, 2003-01-30 at 09:30, Mike Morton wrote:
I want to use the mcrypt functions to encrypt credit card numbers for
storage in a mysql database, which mycrypt does admirably:
$key = "this is a secret key";
$input = "Let us meet at 9 o'clock at the secret place.";
$iv = mcrypt_create_iv (mcrypt_get_iv_size (MCRYPT_RIJNDAEL_256,
MCRYPT_MODE_CBC), MCRYPT_RAND);
$encrypted_data = base64_encode(@mcrypt_encrypt (MCRYPT_RIJNDAEL_256 , $key,
$input, MCRYPT_MODE_CBC,$iv));
The trouble is - the key and the IV. Both of these have to be available in
the merchants administration for retrieval of the credit card, thus need to
be stored somewhere - most likely on the server or in a database. Here is
the problem - if someone gets to the database and retrieves the encrypted
credit card, the chances are that they are able to also retrieve the script
that did the encryption, thus find out where the key and IV are stored,
making it simple to decrypt the credit card for them.
The only solution that I can see is to use an asymetric encryption and have
the merchant enter the decryption key at the time of credit card retrieval -
but that is unrealistic for a User Interface point of view.
So - the only other thing that I can see to do is have a compiled program,
bound to the server, that has the key compiled into the program. I am not a
C programmer - so this is also not exactly possible.
Does anyone else have any answers or has anyone else run into this? Is this
just a general problem with doing encryption through PHP as opposed to a
compiled binary? Can anyone suggest a solution to this problem?
Thanks :)
--
Cheers
Mike Morton
****************************************************
*
* E-Commerce for Small Business
* http://www.dxstorm.com
*
* DXSTORM.COM
* 824 Winston Churchill Blvd,
* Oakville, ON, CA L6J 7X2
* Tel: 905-842-8262
* Fax: 905-842-3255
* Toll Free: 1-877-397-8676
*
****************************************************
"Indeed, it would not be an exaggeration to describe the history of the
computer industry for the past decade as a massive effort to keep up with
Apple."
- Byte Magazine
Given infinite time, 100 monkeys could type out the complete works of
Shakespeare. Win 98 source code? Eight monkeys, five minutes.
-- NullGrey
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
-- Adam Voigt ([EMAIL PROTECTED]) The Cryptocomm Group My GPG Key: http://64.238.252.49:8080/adam_at_cryptocomm.asc |
signature.asc
Description: This is a digitally signed message part
