[thelist] how secure to store credit cards
Keith
cache at dowebs.com
Tue Jan 8 11:57:56 CST 2002
Hey thanks jeff for the details on Cold Fusion's Encrypt function!
> coldfusion's Encrypt() function takes a string and a key. it uses the
> key to encrypt the string --
I'm assuming that the same key is needed to unencrypt the string. If
so then Erik's earlier worries would be valid, keeping the key on the
server would make the attempt quite bogus. Unless.... unless you
don't keep the key on the server.
Would this work as a poorman's method (considering the $400
price tag for integrating PGP with CF)? Instead of keeping one key
for all transactions, generate a unique key for each transaction and
email the key and transaction number pair to the merchant during
the process. A bandit would have to snag each email (or break into
the email server) plus break into the e-commerce server to have an
open door.
I've seen a variation of a two-way hash one-key encryption done in
perl. That installation used only one key for all transactions but the
key did not exist on the server in hard form, it was kept in memory
using mod_perl. (once a routine has been put into mod_perl
memory you can remove the physical script and still run it, until you
reboot). Question, does CF have any comparable capability for
placing a value or routine in memory for persistent use?
> it's alittle spendy ($400), but the expense is worth it for the peace
> of mind it'll give you.
Wow, that is a bit expensive, considering that all the PGP tools are
free and take less than an hour to have running with Perl.
keith
More information about the thelist
mailing list