>From my experience, I'd have to say that it would be a real tough go to crack that. If there was a weak point in the scheme is that your end result pattern ( the ssn ) is defined with a pair of constants, the hyphens. In our scheme we remove the dashes and just provide a mask for display. We also keep a unique key with each ssn, the record number for extra security. Where to keep it is tougher, OWASP suggests that the keys be stored on another non web facing server, with a locked down filesystem. That would be best if you have the hardware available. One other option here is to load the keys into ram on server start up and never have them physically on the machine. Bastien On 8/11/10, tedd <tedd@xxxxxxxxxxxx> wrote: > Hi gang: > > Okay, a question to the Encryption/Decryption gurus out there. > > If you were given: > > 1. This encrypted string: > > p3IVhDBT26i+p4vd7J4fAw== > > 2. Were told it was a social security number (i.e., in the form of > 123-45-6789). > > 3. And it had been generated from this code: > > $cipher = mcrypt_module_open(MCRYPT_TRIPLEDES,'','cbc',''); > mcrypt_generic_init($cipher, $key1, $key2); > $encrypted = mcrypt_generic($cipher,$social_security_number); > > 4. Where $key1 and $key2 are md5() values calculated from two > different security phrases. > > 5. Where each security phrase contains multiple non-English words. > > What would it take for you to break the encrypted string and decipher > the social security number? Can it be done? If so, how long? > > And lastly, where would the "best" place to store these security > phrases? (Note: I didn't ask where would be the best place for me to > put them.) :-) > > Cheers, > > tedd > > PS: No, the SS number in question is not 123-45-6789. :-) > > -- > ------- > http://sperling.com/ > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- Sent from my mobile device Bastien Cat, the other other white meat -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
