Re: RSA implementation, please comment.

From: -linux_lad <john@xxxxxxxxxxxxxxxxxx>
Date: Tue, 01 Jul 2008 18:20:51 -0700

Rob wrote:

Hi All;
I've come up with a solution and I'd like some feedback on whether or
not it is secure.

SYNOPSIS: Is Crypt::RSA secure acceptable in open source if the
private key password is in a browser cookie?

DETAILS:
We're running a pretty basic LAMPS system with MySQL 5.1 and Perl 5.8.
The client asked me to devise "a secure way to save credit card
numbers in the sales database". Every paper I've read recommends
saving the card numbers off site or not at all, but in this case the
the client is a middle-man who collects the sales information
(including card numbers) in one place, and needs to pull up the entire
customer record including card data in a back-office setting using a
secure server.

Most encryption and decryption schemas I came up with had the same
problem -- open source.

I don't know if I can talk you out of keeping the card numbers on the same server but I'm going to try. A dedicated server can be leased for a hundred dollars a month. There is no legitimate excuse for keeping the numbers on a server which is accessible by a web browser. Servers are compromised despite the best intentions of the server admins. If the web server were ever compromised it could be a disaster for your client. The 256 bit RSA key could be factored in hours. You would need a much larger key for it to be secure.

If you must store the data on the same web server, then you are better off generating an encryption key from a good quality random number generator and using a two way algorithm like RC4 (very fast encryption, BTW). The random number generator will return the same string if the seed is the same. You will get the seed from a hash of a concatenation of the username, email address, phone number, user's password (you will have in in plain text from the form, but store encrypted or hashed), etc. Cat all those strings in any order you want, pass it through SHA512 or somesuch, and pass the resulting string to your RNG. Poof, out comes your password, for that user only.

Don't store the expiration or CCV/CCV2.

--
-linux_lad
.

Follow-Ups:
- Re: RSA implementation, please comment.
  - From: Leon Timmermans

References:
- RSA implementation, please comment.
  - From: Rob

Prev by Date: FAQ 8.33 Is there a way to hide perl's command line from programs such as "ps"?
Next by Date: FAQ 8.31 Can I use perl to run a telnet or ftp session?
Previous by thread: RSA implementation, please comment.
Next by thread: Re: RSA implementation, please comment.
Index(es):
- Date
- Thread

Relevant Pages

Re: Hardcoding RijndaelManaged Keys
... > Hardcoding keys into your application is not a very secure solution at ... otherwise there is no possible way for the server to decrypt the client's ... > Signatures and encryption solve two different problems. ... hardcoding your key into a client application. ...
(microsoft.public.dotnet.security)
Re: Encryption Question
... encryption, but then the problem is, how do I decrypt it on the server ... get your public key as a javascript string and send to client, ... holding back the private on the server. ... javascript based method to work in a truly secure fashion, ...
(comp.lang.javascript)
RE: PGP email encryption
... There IS a web client to PGP, and one way to use "email encryption" in PGP ... is to have the PGP server catch the ... > someone receives a notification that a secure email message has been sent ...
(Security-Basics)
Re: data security
... The secure server works in conjunction with your web browser to ... How secure is this encryption method? ... using a secured server to do their Internet banking, webmail, etc. ...
(alt.computer.security)
Re: Security software / freeware
... Something kinda hi-tech gadgety, yet also secure. ... a storage card is not. ... encryption program for data on said card. ... Personally I like to use Tombo ...
(microsoft.public.pocketpc)