Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Program similar to PGP

Status
Not open for further replies.
jerijeri

jerijeri

Programmer
Sep 11, 2002
33
CA
I'd like to be able to store some information in a table and have it safe from prying eyes. I do need to be able to decrypt it.

Currently we're using a RC4 routine to save the information. If someone looks at the data, it won't do them any good - unless they find the key that's stored on the server.

What we really need is something that works similar to PGP. That way even if they downloaded the key and the data it would be useless. Due to installation requirements is not suitable.

Any ideas on where to find code that will do what we need?

Thanks,

Jer
 
Sort by date Sort by votes
Linux. Apache 1.3, MySQL

Some sites that we want to do this on are on inexpensiver virtual hosts so we can't compile and install the software.

Some of the data is Credit Card data so if the data can be encrypted by using any data on the server, it won't be suitable.

We've also looked at mcrypt, but some of the sites don't have mcrypt installed and won't install it.

Thanks,

Jer
 
Upvote 0 Downvote
The only perfect cryptographic system is a properly-managed single-use-pad system. But that's not useful for what you need.

The best you're going to be able to do with human-readable PHP code is slow them down or make the value of what the attacker gets less valuable than the resources he puts into the attack. If a PHP script knows which key in a PKI keyring to use, so can your attacker. If the keyring requires a password, your PHP script would have to know that, and so can you attacker.

Maybe hide your code. Might Zend Encoder ( be applicable here? To run the output of Zend Encoder requires the installation of Zend Optimizer. If you can't compile software, can you install pre-compiled software?


Want the best answers? Ask the best questions: TANSTAAFL!
 
Upvote 0 Downvote
[The only perfect cryptographic system is a properly-managed single-use-pad system. But that's not useful for what you need.

The best you're going to be able to do with human-readable PHP code is slow them down or make the value of what the attacker gets less valuable than the resources he puts into the attack. If a PHP script knows which key in a PKI keyring to use, so can your attacker. If the keyring requires a password, your PHP script would have to know that, and so can you attacker.]

Maybe I'm misunderstanding what PGP type system can do. I thought that even if someone has the public key, just like they would have to send an encrypted method, that without the decryption key, the decryption would be so resource intensive as to not be worth it.

That's the reason for wanting a PGP type system. Zend Encoder or Source Guardian won't work to encrypt code as Optimizer isn't on server, and the extensions necessary for Source Guardian aren't available.

What I didn't make clear is that the decryption key-ring wouldn't be on server. That would entered into a secure form to decrypt the data.

Thanks,


Jer
 
Upvote 0 Downvote
A PGP system should work for what you want. Then you download the data later, you have the encryption key, and you go nuts.

Just so long as you expect the data on the server to be unusable by the server, once the server gets the ability to read it, everything is comprimised.

I would think the RSA scheme is really easy to implement with PHP by hand, all on your own. No real need for anything third party.

Part of the loss is you won't get the nice selection of keys that comes with PGP and all the key management... but to set up a simple RSA Public Key encryption for one time use where you define the keys ahead of time should be straightforward.

Too busy until monday at the earliest, but I'll try to look into it then.

-Rob
 
Upvote 0 Downvote
A PKI system is designed for two entities to exchange messages. It is secure because the private keys of the two entities are stored in two different places.

As I understand your cryptogrphic requirements, your server is going to both encrypt and decrypt the data. That means that both the public and private keys must be on the same server. Thus PKI in this instance is no more secure than a non-PKI crypto system.

If someone can read your code to access your RC4 key, then he can certainly read your code to access your public and private keys.

Want the best answers? Ask the best questions: TANSTAAFL!
 
Upvote 0 Downvote
However, if he just wants the server to encrypt the data, which he can then later download and locally decrypt entering his private key, it should be trivial, no?

-Rob
 
Upvote 0 Downvote
you're storing credit card data on the server? definitely a no-no...

what ever process transaction that is done on the system, the credit card data should be passed to the third party authorizing agent and forgotten about...web servers are just not secure enough to store the data...

best to pass the responsibility for the cc numbers to the authorizing agent and let them worry about the security of the data, thats what you pay them for.

ask playboy.com (8 million card numbers hacked out of the server along with the client data).

The only way I could ever consider something like this would be to pass the data to another secured server / application that only runs behind a firewall and then encrypting it and storing the data....never never ever on the web server



Bastien

There are many ways to skin this cat,
but it still tastes like chicken
 
Upvote 0 Downvote
skiflyer:
So long as the private key is not stored on the server...


Bastien:
You have it right.

If you are processing credit-cards in real time, then the important thing to store is the transaction id provided by your clearing house, not the credit-card number.


Want the best answers? Ask the best questions: TANSTAAFL!
 
Upvote 0 Downvote
[you're storing credit card data on the server? definitely a no-no...

what ever process transaction that is done on the system, the credit card data should be passed to the third party authorizing agent and forgotten about...web servers are just not secure enough to store the data...]

Yes, we understand the risks. Unfortunately you simply can not do recurring billing with certain Gateways. i.e. Authorize.net. Hence the need for encryption.

Even without the CC data, there is other data we'd like to use this system on, so the problem still remains.

To Sleipnir214:

[As I understand your cryptogrphic requirements, your server is going to both encrypt and decrypt the data. That means that both the public and private keys must be on the same server. Thus PKI in this instance is no more secure than a non-PKI crypto system.]

** The private key is only available to the program when we enter into a form field on a secure connection. We enter the key into the field, and the data can be decrytped for that session only.

[If someone can read your code to access your RC4 key, then he can certainly read your code to access your public and private keys.]

** The RC4 key is what we have now, and it's insecure. If the person searched the site, they'd find the RC4 key. Hence our searching for a PGP type system.

Thanks,

Jer


 
Upvote 0 Downvote
But you can't use gnupg or mcrypt because you can't install software on some of your clients systems. Right?

** That's correct. We're looking for something like PGP, but something that doesn't have to be be compiled and installed or involve any changes go the PHP build.

Recently Authorize.net changed their system and we needed to do HMAC-MD5. To use their example code, PHP needed to be compiled with MHASH.

Fortunately we found the following:

function hmac ($key, $data)
{
// RFC 2104 HMAC implementation for php.
// Creates an md5 HMAC.
// Eliminates the need to install mhash to compute a HMAC
// Hacked by Lance Rushing

$b = 64; // byte length for md5
if (strlen($key) > $b) {
$key = pack("H*",md5($key));
}
$key = str_pad($key, $b, chr(0x00));
$ipad = str_pad('', $b, chr(0x36));
$opad = str_pad('', $b, chr(0x5c));
$k_ipad = $key ^ $ipad ;
$k_opad = $key ^ $opad;

return md5($k_opad . pack("H*",md5($k_ipad . $data)));
}

Voila, we used this and no longer needed PHP compiled with mhash. Hopefully there's something on the net available to generate a PGP *type* system without needing to compiled.

Thanks,

Jer
 
Upvote 0 Downvote
I don't work with php but have a client that does... I need to create a form to do online cc transactions with authorize.net... know nothing about php so any help... Code will be appreciated... don't have much time... found some files on their site but information is all over...


Thank you very much for your help
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

R
  • Question
How Can I Use MySQL To Send Data To An Email
Replies
1
Views
248
Chris Miller
Chris Miller
P
  • Locked
  • Question
JPgraph - How to stop a line graph from dropping to zero?
Replies
2
Views
364
Chris Miller
Chris Miller
rogerte
  • Locked
  • Question
How to parse associative array
Replies
13
Views
1K
Chris Miller
Chris Miller
PeDa
  • Locked
  • Question
Basic Authentication fails to authenicate
Replies
0
Views
181
PeDa
PeDa
EdLentz
  • Locked
  • Question
I need a simple example of how to send a table of info .
Replies
8
Views
404
EdLentz
EdLentz

Part and Inventory Search

Sponsor

Back
Top