Re: encryption on personal information
Hi all, I recommended he go for the big-time approach since he was interested in protecting children. Seems like a liability issue you'd want to be able to tell opposing counsel -- especially here in the States -- that you took all possible steps to avoid, or at the least be able to calm unnecessarily jittery parents. More of a social issue than a technical one, I suppose. --- Matt Robertson, [EMAIL PROTECTED] MSB Designs, Inc. http://mysecretbase.com --- -- Original Message -- From: Kay Smoljak <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] date: Wed, 05 Feb 2003 18:29:44 -0400 >David Green wrote: >>On storing the information, I need to store the information in my table >>after I have passed the text field through the cfx tag which will return a >>encrypted text variable. I then store that value and the private key to my >>table, Then any time I need the data I run it back through the cfx_text >>tag with the private password or do I create new keys? > >Hi David, > >You first need to understand the concepts of asymmetric encryption (ie, using two >different keys). I wish I had a good link for this - maybe I should create one :) > >Firstly, I'm not sure that your situation calls for a tag like TextCrypt. If you want >your users to submit data, which is then encrypted and stored so that only an >administrator can decrypt it (ie, you) then the tag suits your needs. If you want >people to be able to decrypt their own data at will (ie to edit or view it) then what >you need is either just an SSL certificate (to protect the data while it's being >transmitted) and perhaps a symmetric encryption scheme such as the one built into CF >(ie, the same key is used to encrypt and decrypt the data, more like a password). > >Basically, in asymmetric encryption a key pair is generated which always go together. >The private key must always stay private. That means you don't even store it on the >server or in the database, on your own machine only and even then only if you trust >that keeps it secure. The matching public key can be stored on the server or indeed >anywhere, as anything encrypted with it can ONLY be decrypted using the private key, >and the private key CANNOT be determined using the public key. > >If you lose your private key OR your public key, you're out of luck. A 512 bit RSA >key was broken (http://www.cw.com.hk/Features/f990831002.htm) by a team of scientists >using 292 individual computers at 11 different sites around the world. It took them >seven months. A 1024 bit key (the recommended minimum) is exponentially more >difficult to factor. > >All data is encrypted using the public key. It can then be decrypted using the >private key. The way I usually do this on sites is to have an SSL-protected admin >area, where the administrator can log in, enter his private key (paste it into a >form, it's about 300 characters for a 1024 bit key) which is then saved as a session >variable. The idea is that the private key and any decrypted data is never stored >anywhere except in the server's memory. > >Wow, this has been a long post. If it sounds like overkill for what you want to >protect, it probably is :) I've only ever used it for credit card numbers. If you >don't think it's overkill and you have any more questions, please fire away (my email >is [EMAIL PROTECTED]). > >Kay. >(I work for PerthWeb) > ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
encryption on personal information
David Green wrote: >On storing the information, I need to store the information in my table >after I have passed the text field through the cfx tag which will return a >encrypted text variable. I then store that value and the private key to my >table, Then any time I need the data I run it back through the cfx_text >tag with the private password or do I create new keys? Hi David, You first need to understand the concepts of asymmetric encryption (ie, using two different keys). I wish I had a good link for this - maybe I should create one :) Firstly, I'm not sure that your situation calls for a tag like TextCrypt. If you want your users to submit data, which is then encrypted and stored so that only an administrator can decrypt it (ie, you) then the tag suits your needs. If you want people to be able to decrypt their own data at will (ie to edit or view it) then what you need is either just an SSL certificate (to protect the data while it's being transmitted) and perhaps a symmetric encryption scheme such as the one built into CF (ie, the same key is used to encrypt and decrypt the data, more like a password). Basically, in asymmetric encryption a key pair is generated which always go together. The private key must always stay private. That means you don't even store it on the server or in the database, on your own machine only and even then only if you trust that keeps it secure. The matching public key can be stored on the server or indeed anywhere, as anything encrypted with it can ONLY be decrypted using the private key, and the private key CANNOT be determined using the public key. If you lose your private key OR your public key, you're out of luck. A 512 bit RSA key was broken (http://www.cw.com.hk/Features/f990831002.htm) by a team of scientists using 292 individual computers at 11 different sites around the world. It took them seven months. A 1024 bit key (the recommended minimum) is exponentially more difficult to factor. All data is encrypted using the public key. It can then be decrypted using the private key. The way I usually do this on sites is to have an SSL-protected admin area, where the administrator can log in, enter his private key (paste it into a form, it's about 300 characters for a 1024 bit key) which is then saved as a session variable. The idea is that the private key and any decrypted data is never stored anywhere except in the server's memory. Wow, this has been a long post. If it sounds like overkill for what you want to protect, it probably is :) I've only ever used it for credit card numbers. If you don't think it's overkill and you have any more questions, please fire away (my email is [EMAIL PROTECTED]). Kay. (I work for PerthWeb) ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Your ad could be here. Monies from ads go to support these lists and provide more resources for the community. http://www.fusionauthority.com/ads.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: encryption on personal information
Matt Thanks for the info, Looks straight forward enough but let me see it I understand, I use the certificate to secure the browsers, After I install the certificate on my server I then call the page out in my code using https://www.site.com/dir/page_name.cfm I should get a pad lock on my browsers. On storing the information, I need to store the information in my table after I have passed the text field through the cfx tag which will return a encrypted text variable. I then store that value and the private key to my table, Then any time I need the data I run it back through the cfx_text tag with the private password or do I create new keys? Am a little confused on how the public and private keys work and how to call the data up at a later date. Thanks for help David - Original Message - From: "Matt Robertson" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Tuesday, February 04, 2003 2:32 PM Subject: Re: encryption on personal information > Here are some links: > > http://rackshack.net. Buy a Geotrust secure certificate easy and cheap (US$49). > > http://developer.perthweb.com.au. Look at the textcrypt utility. This is actually some serious encryption that is nice and cheap (US$39). Costs a bundle ($10k+) if bought from mainstream commercial sources. > > You can get some encryption algorithms on the devex for free. Check there, but for me textcrypt is solid stuff, cheap and easy. > > To make a form secure you first call the page using https instead of http(after you've installed and enabled the secure certificate). You call the action page with https too. Then you encrypt the data in the db so if someone breaks in the data is gobbledygook. When you review the data in your protected admin area you also do it over a secure https connection, after you've plugged in the private key that unencrypts the data for viewing. > > Got all that? :D Its not a subject whose component parts can easily be digested in a single email. > > --- > Matt Robertson, [EMAIL PROTECTED] > MSB Designs, Inc. http://mysecretbase.com > --- > > > -- Original Message -- > From: "David Green" <[EMAIL PROTECTED]> > Reply-To: [EMAIL PROTECTED] > date: Tue, 4 Feb 2003 14:11:57 -0800 > > >Hello list > > > >I'm just a part time web guy, I have a website for soccer where people are going to signup for the league. It will have personal information but no money transactions. Can someone point me to a website that would show how to do the basics in security and encryption. This is not any super secret stuff just peoples/kids name addresses and phones numbers I can't spend a bunch of money but would like to secure from the basic hackers, I don't think this is a site people would try hard to break into but since it has kids names I should do something. > > > >I know I visit sites and it warns me that am about to send unsecured data and do I want to. How do I send it secured. > > > >Thanks the help now and in the past > > > >David > > > > > > > > > ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
Re: encryption on personal information
Here are some links: http://rackshack.net. Buy a Geotrust secure certificate easy and cheap (US$49). http://developer.perthweb.com.au. Look at the textcrypt utility. This is actually some serious encryption that is nice and cheap (US$39). Costs a bundle ($10k+) if bought from mainstream commercial sources. You can get some encryption algorithms on the devex for free. Check there, but for me textcrypt is solid stuff, cheap and easy. To make a form secure you first call the page using https instead of http(after you've installed and enabled the secure certificate). You call the action page with https too. Then you encrypt the data in the db so if someone breaks in the data is gobbledygook. When you review the data in your protected admin area you also do it over a secure https connection, after you've plugged in the private key that unencrypts the data for viewing. Got all that? :D Its not a subject whose component parts can easily be digested in a single email. --- Matt Robertson, [EMAIL PROTECTED] MSB Designs, Inc. http://mysecretbase.com --- -- Original Message -- From: "David Green" <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] date: Tue, 4 Feb 2003 14:11:57 -0800 >Hello list > >I'm just a part time web guy, I have a website for soccer where people are going to >signup for the league. It will have personal information but no money transactions. > Can someone point me to a website that would show how to do the basics in security >and encryption. This is not any super secret stuff just peoples/kids name addresses >and phones numbers I can't spend a bunch of money but would like to secure from the >basic hackers, I don't think this is a site people would try hard to break into but >since it has kids names I should do something. > >I know I visit sites and it warns me that am about to send unsecured data and do I >want to. How do I send it secured. > >Thanks the help now and in the past > >David > > > > ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
encryption on personal information
Hello list I'm just a part time web guy, I have a website for soccer where people are going to signup for the league. It will have personal information but no money transactions. Can someone point me to a website that would show how to do the basics in security and encryption. This is not any super secret stuff just peoples/kids name addresses and phones numbers I can't spend a bunch of money but would like to secure from the basic hackers, I don't think this is a site people would try hard to break into but since it has kids names I should do something. I know I visit sites and it warns me that am about to send unsecured data and do I want to. How do I send it secured. Thanks the help now and in the past David ~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
