473,588 Members | 2,478 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Best encryption technique

Greetings,

I have a requirement of storing some .xml files on a web server.
The files will contain financial information like credit card numbers,
so I would like to encrypt them.

The files will stay there until another program downloads them and
deletes the files.

My question is - which of the functions in the mcrypt library provide
the best encryption for files?
The files will be relatively small - between 2KB - 30KB.

I would like the strongest possible encryption because some pretty good
hackers may attempt to get at these files if someone figures out that
there are credit card numbers out there.

Another question - how should the encryption/decryption key be shared
between the two programs?
Is it secure enough if the .php script contains a single static key on
both the ends - or is there a better way to share the key?

Thanks,
Harold

Jul 17 '05 #1
4 3440
Harold Crump wrote:
Another question - how should the encryption/decryption key be shared
between the two programs?
Is it secure enough if the .php script contains a single static key on
both the ends - or is there a better way to share the key?
May want to place the key in a separate file. After all, it's data, not
code, and tgus makes it easier to change the key as required.

Also, I'm very much hoping you have an asymmetric cipher in mind here
(public-key cryptography). You might as well not bother with encryption
at all if you will be leaving the decryption key on the server.

I'd go for AES-128 for bulk encrypting each file with a random key, and
RSA-2048 for encrypting the symmetric keys.
Never used mcrypt, or done crypto at all using php, but any decent suite
should support those ciphers.
Your whole approach sounds a tad awkward, though. Why store credit card
info on a web server in the first place, especially if it's ment to end
up somewhere else..? You know best, though. Best of luck.

Thanks,
Harold

Jul 17 '05 #2
Frank,

Frank wrote:
Also, I'm very much hoping you have an asymmetric cipher in mind here (public-key cryptography). You might as well not bother with encryption at all if you will be leaving the decryption key on the server.
That's my worry as well !
Can you briefly describe how the public-key approach should work,
especially if a random key is used as you suggested.

The entire approach is supposed to be asynchronous and the two
applications (the one that dumps the files, and the other that reads
them) are not "aware" of each other.
I'd go for AES-128 for bulk encrypting each file with a random key, and RSA-2048 for encrypting the symmetric keys.
How about using 3DES (triple DES) - it is supported by mcrypt.
It is 192-bit encryption.
Is that any good?

Can you explain what you meant by symmetric keys and asymmetric keys?
Your whole approach sounds a tad awkward, though. Why store credit card info on a web server in the first place, especially if it's ment to end up somewhere else..?


I know !! But there is no other way to integrate these two apps that we
could find, and the customer is aware of the security risk involved.
We are going to try and setup an HTTPS channel between the two app so
that the file transfer can be more secure.

Thanks again,
Harold

Jul 17 '05 #3
Harold Crump wrote:
Frank,

Frank wrote:
Also, I'm very much hoping you have an asymmetric cipher
in mind here (public-key cryptography). You might as well
not bother with encryption at all if you will be leaving
the decryption key on the server.
That's my worry as well !
Can you briefly describe how the public-key approach should work,
especially if a random key is used as you suggested. *copy & paste* Can you explain what you meant by symmetric keys and asymmetric keys?


Asymmetric ciphers work with two keys, one for encryption and a
different one for decryption. You'll obviously only be storing the
encryption key on your web server.

Problem is, public-key algorithms aren't very efficient, so you use a
different algorithm for encrypting the content, then encrypt that key
using public-key crypto and store it along with the encrypted data somehow.
I'd go for AES-128 for bulk encrypting each file with a random key,
and RSA-2048 for encrypting the symmetric keys.


How about using 3DES (triple DES) - it is supported by mcrypt.
It is 192-bit encryption.
Is that any good?


I'm no crypto guru, so best do a little research yourself here.

I did look up mcrypt just now, and it seems to have support for
Rijndael, which is another name for the AES algorithm. If your library
version doesn't have Rijndael-128, I'd go with Blowfish over 3DES, which
AFAIK is very broken.

Couldn't find anything solid on publick key ciphers for php in what
little time I spent googling, though.

Good luck.
Jul 17 '05 #4
"Harold Crump" <or**********@y ahoo.com> wrote in message
news:11******** **************@ o13g2000cwo.goo glegroups.com.. .
Greetings,

I have a requirement of storing some .xml files on a web server.
The files will contain financial information like credit card numbers,
so I would like to encrypt them.


I wonder how worthwhile encryption is in this case. If a hacker manages to
hack into your server, then he could easily modify your PHP script so that
the file is encrypted with a known key instead of a random one.

You time could be better spent improving the security of the server,
methinks.
Jul 17 '05 #5

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

22
3213
by: Kamilche | last post by:
I've looked at a few alternatives for encryption with Python, and didn't come up anything very speedy. I've written an encryption algorithm in pure Python that can process 22 megs of data a second. I know it's not secure, but it should be enough to ward off casual hacking. Does someone know of something speedier? --Kamilche
2
2129
by: gaurav khanna | last post by:
Hi I need to store the credit card information in my database. I have been looking for some third party tools which could provide encryption for credit card numbers. The help I need is: a) What is the most secure encryption tool that can be used to store credit card information?
14
2794
by: MLH | last post by:
Here's what I would like to do from with VBA procedure running in Access 97... Read a plaintext file on disk (IE, autoexec.bat), encrypt it and write it to disk (say, c:\encryptd.txt). Recommendations on the SIMPLEST tools possible to accomplish this. Will be distributing in A97 runtime environment and do NOT wish to encounter problems on remote target machines having REFERENCE issues, etc.
113
12279
by: Bonj | last post by:
I was in need of an encryption algorithm to the following requirements: 1) Must be capable of encrypting strings to a byte array, and decyrpting back again to the same string 2) Must have the same algorithm work with strings that may or may not be unicode 3) Number of bytes back must either be <= number of _TCHARs in * sizeof(_TCHAR), or the relation between output size and input size can be calculated simply. Has to take into account the...
0
4211
by: Anonieko Ramos | last post by:
ASP.NET Forms Authentication Best Practices Dr. Dobb's Journal February 2004 Protecting user information is critical By Douglas Reilly Douglas is the author of Designing Microsoft ASP.NET Applications and owner of Access Microsystems. Doug can be reached at doug@accessmicrosystems.com. --------------------------------------------------------------------------------
8
2770
by: robert | last post by:
Hello, I want to put (incrementally) changed/new files from a big file tree "directly,compressed and password-only-encrypted" to a remote backup server incrementally via FTP,SFTP or DAV.... At best within a closed algorithm inside Python without extra shell tools. (The method should work with any protocol which allows somehow read, write & seek to a remote file.) On the server and the transmission line there should never be...
10
2050
by: tshad | last post by:
I am trying to find the best procedure for storing keys used for encryption. This would also be a question for the connection string to the database. At the moment, this is kept in the web.info file. This seems to be norm from all the books on building your Web Apps. Isn't this a problem as the web.info is cleartext? I would suppose that having keys (which you would to store/encrypt and get/decrypt from your database) in this manner...
2
6469
by: olafinsbraaten | last post by:
I am using column-level encryption (ENCRYPT_CHAR, DECRYPT_CHAR) to protect selected columns in DB2 LUW v.9.1 and v.9.5 on Linux. The ultimate goal is to support the requirements put forward in Payment Card Industry Data Security Standard (PCI DSS) which states: "Protect stored cardholder data anywhere it is stored". The encryption functions above requires a password to be set for each db2 session (SET ENCRYPTION PASSWORD =...
3
2596
by: Max2006 | last post by:
Hi, In our production environment, we would like to protect our database connection string against system administrators (they are admin on the web server box) I went through this article that describes options how to encrypt the connection string section within the web.config: http://msdn.microsoft.com/en-us/library/ms998283.aspx
0
7929
marktang
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look ! Part I. Meaning of...
0
7860
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
0
8354
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
1
7984
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
0
8223
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
1
5726
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
0
5398
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
0
3847
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
0
3883
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.