Page 1 of 1
Encryption key storage
Posted: Sun Jul 04, 2004 7:55 pm
by mshita
I know...to many questions from me today
But I guess this is more of a general question than a PHP coding question. I have a MySQL database that has credit card information and some other confidential financial information. I'm going to be using Blowfish to encrypt all that information. But my question is, how do I securely store the encryption key? Is it safe to store the key in MySQL? Obviously I can't encrypt the key.
Posted: Sun Jul 04, 2004 7:59 pm
by John Cartwright
You have to ask yourself. Do you absolutely have to store their credit card information?
Posted: Sun Jul 04, 2004 8:01 pm
by mshita
Well yeah, the system I'm trying to build requires credit card information. My question is, is MySQL safe enough to store the encryption key? Or how would you store that key?
Posted: Sun Jul 04, 2004 8:06 pm
by ol4pr0
The only safe thing is to keep it off the internet... besides that nothing is save enough. But i guess its more secure than storing it in some file. And are you using SSL connecting for all this!
Interesing reading maby.
http://teaching.cs.uml.edu/MySQLdocs/My ... tions.html
Posted: Fri Nov 12, 2004 11:22 am
by patrikG
Why would you need to keep the private keys stored? Shouldn't the owners of the credit cards remember them? And if they forget their key, they have to enter the credit card details again.
If you have to keep the private keys stored in a file, keep them outside of any web-viewable folder. There is still a risk involved if you are on a shared server or if you are not administering your own server. It might be sensible, if you're paranoid (which is a good thing reg. security) to have the private key file stored on different server.
Posted: Fri Nov 12, 2004 12:43 pm
by Weirdan
Do you need to use that data in decrypted form (e.g. pass to processing centre/gateway at some later date)? Out of my mind it's the only case when you need full credit card information, correct me if I'm wrong here.
Posted: Fri Nov 12, 2004 12:45 pm
by Weirdan
<span style='color:blue' title='I'm naughty, are you naughty?'>smurf</span> wrote:My question is, is MySQL safe enough to store the encryption key? Or how would you store that key?
If it would be safe enough you didn't have to encrypt the information in it

If you do you're by definition considering mysql db not safe enough

Posted: Fri Nov 12, 2004 2:06 pm
by rehfeld
i wouldnt store them at all.
unless you are HIGHLY confident your method of storage is extrememly secure, odds are, someone can break into it w/out too much effort.
sql injection is one possibility. another, shared server problems are VERY real, and makes hacking a site a peice of cake often.
if i could gain access to your encrypted cc nums, even w/ out the encrytption key, all i need to do is download them to my local box and have a cracking program go at them. prob wont take very long.
i think if your asking questions about security such as this, your probably not yet ready/capable of storing them securely enough. thats not a bad thing, it just takes experience which will come in time. please be realistic about your capabilities, and the capabilities of others.
i urge you to take all precautions for security you can. ive had my credit card number plastered all over the internet because someone hacked a website i bought something from. it caused me a lot of problems as you can imagine. identity theft can ruin peoples lives.
Posted: Fri Nov 12, 2004 2:15 pm
by timvw
if you insist on storing the decrypted info, i would use something like gpg and only make the public key available on the server. (is enough to encrypt)
and then have the private key on different, absolutely secure machine. then you can retrieve the encrypted data from the webhost, and decrypt at the secure machine.
Posted: Fri Nov 12, 2004 2:33 pm
by patrikG
timvw wrote:if you insist on storing the decrypted info, i would use something like gpg and only make the public key available on the server. (is enough to encrypt)
I wouldn't use GNUPG, because you have to use a shell command to access it and pass the private key as parameter. That could be a huge security risk if you don't have full control over your server - someone would simply need to check the shell's cache... I'd recommend using [php_man]mcrypt[/php_man].
Posted: Fri Nov 12, 2004 2:47 pm
by timvw
i don't really see the security issue?
webhost [database hold public key and encrypted data]
securehost[holds private key]
- webhost only needs the public key to encrypt the data.
- the encrypted data may only be download from webhost to securehost.
- then the decryption (using private key) and processing of the data should happen on the secure host.
Don't see how that would make the private key available to the webhost.
Posted: Fri Nov 12, 2004 2:50 pm
by patrikG
if you press <arrow key up> in a shell, it'll go through every shell command entered so far.
Posted: Fri Nov 12, 2004 3:46 pm
by Weirdan
It isn't major security breach if one can obtain public key as all he will be able to do is to add more information to the database.
Posted: Sat Nov 13, 2004 2:44 am
by patrikG
When you decrypt with GNUPG you have to pass it the private key. Yes, you can point it to a file, but on a shared server the security risk is really(!) considerable.
Posted: Sat Nov 13, 2004 3:20 am
by timvw
i agree that if decryption is going to happen on the shared/insecure server it is a waste of time (could have stored the data plain-text then)
but if the decryption/handling happens on a different, "secure" box, it seems quite safe to me.
(PS: the arrow-up thing is why we have unset hist(ory)

)