Greetings,
I have a requirement of storing some .xml files on a web server.
The files will contain financial information like credit card numbers,
so I would like to encrypt them.
The files will stay there until another program downloads them and
deletes the files.
My question is - which of the functions in the mcrypt library provide
the best encryption for files?
The files will be relatively small - between 2KB - 30KB.
I would like the strongest possible encryption because some pretty good
hackers may attempt to get at these files if someone figures out that
there are credit card numbers out there.
Another question - how should the encryption/decryption key be shared
between the two programs?
Is it secure enough if the .php script contains a single static key on
both the ends - or is there a better way to share the key?
Thanks,
Harold
4  3447 
Harold Crump wrote: Another question - how should the encryption/decryption key be shared
between the two programs?
Is it secure enough if the .php script contains a single static key on
both the ends - or is there a better way to share the key?
May want to place the key in a separate file. After all, it's data, not
code, and tgus makes it easier to change the key as required.
Also, I'm very much hoping you have an asymmetric cipher in mind here
(public-key cryptography). You might as well not bother with encryption
at all if you will be leaving the decryption key on the server.
I'd go for AES-128 for bulk encrypting each file with a random key, and
RSA-2048 for encrypting the symmetric keys.
Never used mcrypt, or done crypto at all using php, but any decent suite
should support those ciphers.
Your whole approach sounds a tad awkward, though. Why store credit card
info on a web server in the first place, especially if it's ment to end
up somewhere else..? You know best, though. Best of luck.
Thanks,
Harold
Frank,
Frank wrote: Also, I'm very much hoping you have an asymmetric cipher in mind here
(public-key cryptography). You might as well not bother with
encryption at all if you will be leaving the decryption key on the server.
That's my worry as well !
Can you briefly describe how the public-key approach should work,
especially if a random key is used as you suggested.
The entire approach is supposed to be asynchronous and the two
applications (the one that dumps the files, and the other that reads
them) are not "aware" of each other.
I'd go for AES-128 for bulk encrypting each file with a random key,
and RSA-2048 for encrypting the symmetric keys.
How about using 3DES (triple DES) - it is supported by mcrypt.
It is 192-bit encryption.
Is that any good?
Can you explain what you meant by symmetric keys and asymmetric keys?
Your whole approach sounds a tad awkward, though. Why store credit
card info on a web server in the first place, especially if it's ment to
end up somewhere else..?
I know !! But there is no other way to integrate these two apps that we
could find, and the customer is aware of the security risk involved.
We are going to try and setup an HTTPS channel between the two app so
that the file transfer can be more secure.
Thanks again,
Harold
Harold Crump wrote: Frank,
Frank wrote:
Also, I'm very much hoping you have an asymmetric cipher
in mind here (public-key cryptography). You might as well
not bother with encryption at all if you will be leaving
the decryption key on the server.
That's my worry as well !
Can you briefly describe how the public-key approach should work,
especially if a random key is used as you suggested.
*copy & paste* Can you explain what you meant by symmetric keys and asymmetric keys?
Asymmetric ciphers work with two keys, one for encryption and a
different one for decryption. You'll obviously only be storing the
encryption key on your web server.
Problem is, public-key algorithms aren't very efficient, so you use a
different algorithm for encrypting the content, then encrypt that key
using public-key crypto and store it along with the encrypted data somehow.
I'd go for AES-128 for bulk encrypting each file with a random key,
and RSA-2048 for encrypting the symmetric keys.
How about using 3DES (triple DES) - it is supported by mcrypt.
It is 192-bit encryption.
Is that any good?
I'm no crypto guru, so best do a little research yourself here.
I did look up mcrypt just now, and it seems to have support for
Rijndael, which is another name for the AES algorithm. If your library
version doesn't have Rijndael-128, I'd go with Blowfish over 3DES, which
AFAIK is very broken.
Couldn't find anything solid on publick key ciphers for php in what
little time I spent googling, though.
Good luck.
"Harold Crump" <or**********@y ahoo.com> wrote in message
news:11******** **************@ o13g2000cwo.goo glegroups.com.. . Greetings,
I have a requirement of storing some .xml files on a web server.
The files will contain financial information like credit card numbers,
so I would like to encrypt them.
I wonder how worthwhile encryption is in this case. If a hacker manages to
hack into your server, then he could easily modify your PHP script so that
the file is encrypted with a known key instead of a random one.
You time could be better spent improving the security of the server,
methinks. This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: Kamilche |
last post by:
I've looked at a few alternatives for encryption with Python, and
didn't come up anything very speedy.
I've written an encryption algorithm in pure Python that can process
22 megs of data a second. I know it's not secure, but it should be
enough to ward off casual hacking. Does someone know of something
speedier?
--Kamilche
|
by: gaurav khanna |
last post by:
Hi
I need to store the credit card information in my database. I have
been looking for some third party tools which could provide encryption
for credit card numbers.
The help I need is:
a) What is the most secure encryption tool that can be used to store
credit card information?
|
by: MLH |
last post by:
Here's what I would like to do from with VBA procedure
running in Access 97...
Read a plaintext file on disk (IE, autoexec.bat), encrypt
it and write it to disk (say, c:\encryptd.txt). Recommendations
on the SIMPLEST tools possible to accomplish this. Will
be distributing in A97 runtime environment and do NOT
wish to encounter problems on remote target machines
having REFERENCE issues, etc.
|
by: Bonj |
last post by:
I was in need of an encryption algorithm to the following requirements:
1) Must be capable of encrypting strings to a byte array, and decyrpting
back again to the same string
2) Must have the same algorithm work with strings that may or may not be
unicode
3) Number of bytes back must either be <= number of _TCHARs in *
sizeof(_TCHAR), or the relation between output size and input size can be
calculated simply. Has to take into account the...
|
by: Anonieko Ramos |
last post by:
ASP.NET Forms Authentication Best Practices
Dr. Dobb's Journal February 2004
Protecting user information is critical
By Douglas Reilly
Douglas is the author of Designing Microsoft ASP.NET Applications and
owner of Access Microsystems. Doug can be reached at
doug@accessmicrosystems.com.
--------------------------------------------------------------------------------
| | |
by: robert |
last post by:
Hello,
I want to put (incrementally) changed/new files from a big file tree
"directly,compressed and password-only-encrypted" to a remote backup
server incrementally via FTP,SFTP or DAV.... At best within a closed
algorithm inside Python without extra shell tools.
(The method should work with any protocol which allows somehow read,
write & seek to a remote file.)
On the server and the transmission line there should never be...
|
by: tshad |
last post by:
I am trying to find the best procedure for storing keys used for encryption.
This would also be a question for the connection string to the database. At
the moment, this is kept in the web.info file.
This seems to be norm from all the books on building your Web Apps. Isn't
this a problem as the web.info is cleartext? I would suppose that having
keys (which you would to store/encrypt and get/decrypt from your database)
in this manner...
|
by: olafinsbraaten |
last post by:
I am using column-level encryption (ENCRYPT_CHAR, DECRYPT_CHAR) to
protect selected columns in DB2 LUW v.9.1 and v.9.5 on Linux. The
ultimate goal is to support the requirements put forward in Payment
Card Industry Data Security Standard (PCI DSS) which states: "Protect
stored cardholder data anywhere it is stored".
The encryption functions above requires a password to be set for each
db2 session (SET ENCRYPTION PASSWORD =...
|
by: Max2006 |
last post by:
Hi,
In our production environment, we would like to protect our database
connection string against system administrators (they are admin on the web
server box)
I went through this article that describes options how to encrypt the
connection string section within the web.config:
http://msdn.microsoft.com/en-us/library/ms998283.aspx
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
| | |
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
| | |
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| |
