Re: ssl encryption
Yes, it's possible. To achieve this, you should use asymetric encryption, and *not* store the private key in the server. Then, the question remains : how can I have the server safely decrypt on demand ?! one possible solution could be to store the private key in a remote server, dedicated to the unique task of decrypting the sensitive data. A secure tunnel could be established between the two servers, so to communicate the encrypted text, and get back the decrypted text safely. You could even add security by storing the private key in a smartcard, and having the smartcard reader connected to the server. Decryptions would have to be done within the smartcard. It's completely possible, but you almost certainly don't want such CPU-expensive operations be done within a 8-bit smartcard ! On Thu, 14 Jun 2001, Kevin Schroeder wrote: > This would make an interesting discussion because I've had the same question > come up in my mind. How do you encrypt things on your server without giving > out the passphrase? Is it even possible to keep the key in the same > location as the program using it and still maintain security? > > Kevin
Re: ssl encryption
Then the question comes up of what happens if you're not storing it in a database? Say, for example, every night at midnight there's a report that gets taken from the database and emailed to a manager in an Excel spreadsheet that contains all the purchasing information from the previous day. Plus, most people concur that there is no such thing as a 100% secure system, however, using a 2048 bit GPG asynchronous key would make it quite difficult to get that information, even if the server was broken into and all the root passwords were changed. Then, of course, the intruder could change the passkey for the encryption and send the reports to himself. Then, of course you could modify "su" to report whenever someone uses it to su to root, but that's only valid if they get in with su. But then we're getting beyond the scope of this mailing list. I guess there really is no such thing as absolute security, only probable security. Oh well. Kevin - Original Message - From: "Vivek Khera" <[EMAIL PROTECTED]> Newsgroups: ml.apache.modperl To: <[EMAIL PROTECTED]> Sent: Friday, June 15, 2001 2:23 PM Subject: Re: ssl encryption > >>>>> "KS" == Kevin Schroeder <[EMAIL PROTECTED]> writes: > > KS> This would make an interesting discussion because I've had the > KS> same question come up in my mind. How do you encrypt things on > KS> your server without giving out the passphrase? Is it even > KS> possible to keep the key in the same location as the program using > KS> it and still maintain security? > > No; the only way to secure this would be to make the server ask you to > type the passphrase on startup, and you never write this down. This > makes it impossible to have automated restart, of course. > > Better thing to do is to secure your database server a bit better. > > -- > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > Vivek Khera, Ph.D.Khera Communications, Inc. > Internet: [EMAIL PROTECTED] Rockville, MD +1-240-453-8497 > AIM: vivekkhera Y!: vivek_khera http://www.khera.org/~vivek/ >
Re: ssl encryption
> "KS" == Kevin Schroeder <[EMAIL PROTECTED]> writes: KS> This would make an interesting discussion because I've had the KS> same question come up in my mind. How do you encrypt things on KS> your server without giving out the passphrase? Is it even KS> possible to keep the key in the same location as the program using KS> it and still maintain security? No; the only way to secure this would be to make the server ask you to type the passphrase on startup, and you never write this down. This makes it impossible to have automated restart, of course. Better thing to do is to secure your database server a bit better. -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Vivek Khera, Ph.D.Khera Communications, Inc. Internet: [EMAIL PROTECTED] Rockville, MD +1-240-453-8497 AIM: vivekkhera Y!: vivek_khera http://www.khera.org/~vivek/
Re: ssl encryption
One solution is to set a perl variable in a conf file that is only readable by root. The parent httpd process can read this, and the children can inherit it, but its not visible in the code. If your httpd children need to be able to read in the password, then you'll need less restrictive permissions on the password file. Of course you need to be able to trust your application developers not to dump the variable out into the world. A slightly better method is to abstract away from the connection method, so that your application developers don't use the password directly, but call a library routine that hands them a connection object, using the password variable under the hood. I've seen this used, and it worked quite well, although having the password in plain text anywhere is a little disturbing. A slightly better approach would be to keep a file of blowfish encrypted keys to be read during startup, and to somehow pass the key to decrypt the keys in manually during Apache startup, via a prompt. Stronghold does this at startup, in order to get the passphrase for your certificate. I'm not sure exactly how to do this from scratch, but I believe there are modules that allow you to embed perl in conf files, which might work, or you might be able to do it via startup.pl On Friday, June 15, 2001, at 12:44 am, Kevin Schroeder wrote: > This would make an interesting discussion because I've had the same > question > come up in my mind. How do you encrypt things on your server without > giving > out the passphrase? Is it even possible to keep the key in the same > location as the program using it and still maintain security? > > Kevin > > - Original Message - > From: "Benjamin Trott" <[EMAIL PROTECTED]> > To: "modperl" <[EMAIL PROTECTED]> > Sent: Thursday, June 14, 2001 5:00 PM > Subject: Re: ssl encryption > > >>> When apache is serving a ssl connection, I assume that everything >>> sent back and forth between the server and the client is encrypted. >>> I want an mod_perl script to encrypt/decrypt credit card numbers >>> obtained over the ssl connection for storage in a db on the server. >>> Is there any access to the same routines that apache is using for the >>> encryption or do I have to use some other module. If I have to use >>> another module, what would be a good choice? >> >> You could use either an asymmetric cipher or a symmetric cipher. >> >> An example of the former is Crypt::RSA (Crypt::DSA is another, but DSA >> is >> used only for signing/verification, not for encryption/decryption). >> >> A good, fast example of the latter is Crypt::Blowfish. Used together >> with >> Crypt::CBC, you get Blowfish in CBC mode: >> >> use Crypt::CBC; >> my $cipher = Crypt::CBC->new('passphrase', 'Blowfish'); >> my $ciphertext = $cipher->encrypt('data'); >> my $plaintext = $cipher->decrypt($ciphertext); >> >> In other words, you use the same passphrase to both encrypt and decrypt > the >> data (ie. symmetric). >> >> Personally, I think I'd use a symmetric cipher, but the thing you have >> to > be >> careful of is leaving your passphrase around in plain text (eg. in a >> script). Doing this negates many of the benefits of encrypting the >> data in >> the first place. :) Sadly I'm not sure of the best answer to this >> dilemma. >> >> bye, >> Ben >> >> > >
Re: ssl encryption
This would make an interesting discussion because I've had the same question come up in my mind. How do you encrypt things on your server without giving out the passphrase? Is it even possible to keep the key in the same location as the program using it and still maintain security? Kevin - Original Message - From: "Benjamin Trott" <[EMAIL PROTECTED]> To: "modperl" <[EMAIL PROTECTED]> Sent: Thursday, June 14, 2001 5:00 PM Subject: Re: ssl encryption > > When apache is serving a ssl connection, I assume that everything > > sent back and forth between the server and the client is encrypted. > > I want an mod_perl script to encrypt/decrypt credit card numbers > > obtained over the ssl connection for storage in a db on the server. > > Is there any access to the same routines that apache is using for the > > encryption or do I have to use some other module. If I have to use > > another module, what would be a good choice? > > You could use either an asymmetric cipher or a symmetric cipher. > > An example of the former is Crypt::RSA (Crypt::DSA is another, but DSA is > used only for signing/verification, not for encryption/decryption). > > A good, fast example of the latter is Crypt::Blowfish. Used together with > Crypt::CBC, you get Blowfish in CBC mode: > > use Crypt::CBC; > my $cipher = Crypt::CBC->new('passphrase', 'Blowfish'); > my $ciphertext = $cipher->encrypt('data'); > my $plaintext = $cipher->decrypt($ciphertext); > > In other words, you use the same passphrase to both encrypt and decrypt the > data (ie. symmetric). > > Personally, I think I'd use a symmetric cipher, but the thing you have to be > careful of is leaving your passphrase around in plain text (eg. in a > script). Doing this negates many of the benefits of encrypting the data in > the first place. :) Sadly I'm not sure of the best answer to this dilemma. > > bye, > Ben > >
Re: ssl encryption
Not storing the credit card numbers at all would be the best option :-) If you must, we've usually used crypt for one-way encryption, or Crypt::BlowFish for stuff we need to be able to decrypt (look after your key!). On Thursday, June 14, 2001, at 09:54 pm, Tim Gardner wrote: > When apache is serving a ssl connection, I assume that everything sent > back and forth between the server and the client is encrypted. I want > an mod_perl script to encrypt/decrypt credit card numbers obtained over > the ssl connection for storage in a db on the server. Is there any > access to the same routines that apache is using for the encryption or > do I have to use some other module. If I have to use another module, > what would be a good choice? > > Thanks, > Tim >
Re: ssl encryption
> When apache is serving a ssl connection, I assume that everything > sent back and forth between the server and the client is encrypted. > I want an mod_perl script to encrypt/decrypt credit card numbers > obtained over the ssl connection for storage in a db on the server. > Is there any access to the same routines that apache is using for the > encryption or do I have to use some other module. If I have to use > another module, what would be a good choice? You could use either an asymmetric cipher or a symmetric cipher. An example of the former is Crypt::RSA (Crypt::DSA is another, but DSA is used only for signing/verification, not for encryption/decryption). A good, fast example of the latter is Crypt::Blowfish. Used together with Crypt::CBC, you get Blowfish in CBC mode: use Crypt::CBC; my $cipher = Crypt::CBC->new('passphrase', 'Blowfish'); my $ciphertext = $cipher->encrypt('data'); my $plaintext = $cipher->decrypt($ciphertext); In other words, you use the same passphrase to both encrypt and decrypt the data (ie. symmetric). Personally, I think I'd use a symmetric cipher, but the thing you have to be careful of is leaving your passphrase around in plain text (eg. in a script). Doing this negates many of the benefits of encrypting the data in the first place. :) Sadly I'm not sure of the best answer to this dilemma. bye, Ben
Re: ssl encryption
Apache uses OpenSSL to implement the transport encryption for HTTP connections. You can find out more at http://www.openssl.org This isn't necessarily how you would want to encrypt things on disk, however. Encrypting a regular file or db file is not really a typical public key encryption task -- typically this is done by using a block cipher like Blowfish and a single shared secret. Information is available at: http://www.counterpane.com/blowfish.html, and there are perl modules on CPAN as Crypt::Blowfish. Hope this helps. > When apache is serving a ssl connection, I assume that everything > sent back and forth between the server and the client is encrypted. > I want an mod_perl script to encrypt/decrypt credit card numbers > obtained over the ssl connection for storage in a db on the server. > Is there any access to the same routines that apache is using for the > encryption or do I have to use some other module. If I have to use > another module, what would be a good choice? > > Thanks, > Tim > --- Mark Madsen EMAIL: [EMAIL PROTECTED] Internap Network ServicesOFFICE: 206.441.8800 601 Union Street, Suite 1000FAX: 206.264.1833 Seattle, WA 98101PAGER: 888.464.6381 * The contents of this message are proprietary and confidential *
ssl encryption
When apache is serving a ssl connection, I assume that everything sent back and forth between the server and the client is encrypted. I want an mod_perl script to encrypt/decrypt credit card numbers obtained over the ssl connection for storage in a db on the server. Is there any access to the same routines that apache is using for the encryption or do I have to use some other module. If I have to use another module, what would be a good choice? Thanks, Tim
Re: SSL/encryption & mod_perl
"B. Burke" wrote: > > I've got a question related to encryption and mod_perl. I'm running > an apache mod_perl server (AIX and Linux platforms) to serve HTML > forms, query backend databases, and print formatted results. I currently > use .htaccess for authentication, although this will probably change. > > My problem is that the user/pass info. and much of the data is > sensitive, and I'm looking for a way to implement SSL or encryption. > > If anyone can point me in the right direction for implementing > encryption that is compatible with apache/mod_perl, I'd appreciate > it. Use RSE's excellent open-source SSL software. http://www.modssl.org/ http://www.openssl.org/
RE: SSL/encryption & mod_perl
You can now build mod_ssl and mod_perl together. Instructions are in the guide http://perl.apache.org/guide. You have to build openssl first. OpenSSL: http://www.openssl.org mod_ssl: http://www.modssl.org I do this now on Solaris (all with DSO's) -Paul > -Original Message- > From: B. Burke [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, November 07, 2000 2:01 PM > To: [EMAIL PROTECTED] > Subject: SSL/encryption & mod_perl > > > I've got a question related to encryption and mod_perl. I'm running > an apache mod_perl server (AIX and Linux platforms) to serve HTML > forms, query backend databases, and print formatted results. > I currently > use .htaccess for authentication, although this will probably change. > > My problem is that the user/pass info. and much of the data is > sensitive, and I'm looking for a way to implement SSL or encryption. > > If anyone can point me in the right direction for implementing > encryption that is compatible with apache/mod_perl, I'd appreciate > it. > > Also, many of the resources I've found thus far were written yrs. > ago, and since then, I believe the RSA patent has expired and I > think US Laws on encryption have changed. I need to make sure > whatever I implement is legal for US and possibly > International use, so > if you have any comments on legality, I'd appreciate that too. > > Thanks, > Brian B. > [EMAIL PROTECTED] >
SSL/encryption & mod_perl
I've got a question related to encryption and mod_perl. I'm running an apache mod_perl server (AIX and Linux platforms) to serve HTML forms, query backend databases, and print formatted results. I currently use .htaccess for authentication, although this will probably change. My problem is that the user/pass info. and much of the data is sensitive, and I'm looking for a way to implement SSL or encryption. If anyone can point me in the right direction for implementing encryption that is compatible with apache/mod_perl, I'd appreciate it. Also, many of the resources I've found thus far were written yrs. ago, and since then, I believe the RSA patent has expired and I think US Laws on encryption have changed. I need to make sure whatever I implement is legal for US and possibly International use, so if you have any comments on legality, I'd appreciate that too. Thanks, Brian B. [EMAIL PROTECTED]