On 30 Aug 2003 23:15:03 -0400, [EMAIL PROTECTED] (K Old) wrote:
>Hello everyone,
>
>I'm in need of storing a few pieces of text in a text file on my server
>and want to keep it encrypted, but not permission restricted as Apache
>will need to read it and my webserver runs as the nobody user.
>
>I'm using the Business::OnlinePayment::AuthorizeNet module to process
>transactions, and would like a secure way to store my transaction-key on
>my server, rather than keeping it as plain text in my perl script.
>
>It looks something like: N5GjgbQ32au8X3kf (16 characters A-Za-z0-9)
>
>I've looked at several of the encryption modules and am looking for
>suggestions of modules to use. I have been looking at Crypt::Blowfish
>and it seems to serve my purpose, but I have a few questions.
>
>using this code from the Blowfish module page:
>
> my $key = pack("H16", "0123456789ABCDEF"); # min. 8 bytes
> my $cipher = new Crypt::Blowfish $key;
> my $ciphertext = $cipher->encrypt("plaintex"); # SEE NOTES
> print unpack("H16", $ciphertext), "\n";
>
>If I were to store $ciphertext in a text file on my server and when I need it
>run unpack using the $key, wouldn't someone who had the $key be able to decrypt
>whatever the $ciphertext is?
>
>Basically I need to have a perl script accessable from the web, yet keep anyone
>on the server from from being able to view the $key.
>
>Does any of this make sense?
>
>Anyone have ideas?
Yeah, you are running into a common problem which people who run on
remote servers face. The people who have root on the server, will be
able to read your key. Can you trust them, or their security? About all
you can do is try to obfuscate the password, so that it will take a
clever user to de-obfuscate it. For the most part, all you really need
to do is be able to demonstrate that you were not negligent in letting
others see the cc data. So use the blowfish to encrypt the data, then
work on a way of making a cracker jump thru about 6 hoops to get at
your $key.
Hopefully one day, we will all have fiber-optic lines into our homes,
and can run our own servers, and provide our own security, and be
root ourselves.
Something like Acme::Bleach would be a first step toward hiding $key,
and there are other sneaky methods. Be creative, change module names,
so it's confusing. Use alot of layers.
I've liked this little script compiler
http://www.datsi.fi.upm.es/~frosal
It takes your perl code and encrypts it and makes it a c program.
It can be broken by a smart perl hacker, but it does hide your keys
from the casual observer. Use it to encrypt a script which outputs
the key when called. Do something sneaky, like only output the
correct key if you feed it certain things on the command line, which
change constantly. Be creative as you can be, maybe log each time
it is run, so you can detect hacking attempts, have it only work if run
from a certain directory, etc, etc.
Good luck.
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
