Dan Trainor wrote: > Daniel Bowett wrote: >> Is there any way I can use public/private key encryption in php in a >> similar way to mcrypt. >> >> I have got php encrypting the data using gnugp but need to automate the >> decrytping element which is proving difficult because of the way the >> password is passed. >> > > While Daniel has brang up the subject of encryption, and I know that the > other day we were talking about storing CC numbers in a database - i > don't think we touched on storing CCs encrypted with a gpg-stype > encryption. Is this generally acceptable at all, or do you developers > still not store CC numbers in any way, shape or form in a database? I wouldn't store them at all. If you encrypt them with a two-way algorithm, the private key is your weak link. SOMEBODY can always find a way to get to that private key. You have to invest a TON of money and resources to make it SOOOO difficult to get to the private key, that it's easier/cheaper for the Bad Guys to get people's credit card numbers some other way. If you are using one-way encryption, then you're only using it to verify that somebody has access to that CC number, and you might as well use a password the user can choose/change -- with suitable restrictions on the quality of that password -- rather than risk transmitting the CC # needlessly. You need a REALLY good reason, and a REALLY REALLY REALLY good security audit of your entire process, on a routine basis, with all software, hardware, physical access, network access, under close-up scrutiny if you store CC numbers in the database. That's a reason why almost nobody does it, and a reason why we all just let the banks/merchant-vendors worry about that stuff. Sometimes it really is best to let a specialist handle things. This is one of those times. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
