Using a PHP encoder or compiling a binary does not make it more secure than storing the IV and encryption key in plain text in a PHP script. The problem is the fact that the encryption cipher requires the same key for encryption and decryption, this is not a problem in many encryption cases but in cases where you want to be able to encrypt but not decrypt the information on the server public key encryption is the better solution, which unfortunately mcrypt does not support.
Using a compiled/encoded program is just security through obscurity which is an illusion and definitely not something you want to do with credit card numbers. Jason On Thu, 2003-01-30 at 08:03, Adam Voigt wrote: > Granted, the $350 stand-alone encoder is a bit expensive. I'm talking > about the online > encoder though, you pass your PHP script through the online-control > center and it > output's the encrypted version, a typical PHP program is $5.00 (yes > that's five dollar's), > try selecting your code after you register for a free account, it will > tell you how much it > would cost to encode it. And after it is encoded, the decoder's (the > things you put on > the server to run the encrypted program's) are 100% free. > > > On Thu, 2003-01-30 at 10:03, Mike Morton wrote: > > Adam/Lowell: > > Thanks for the suggestions – but like all clients – they want > maximum function for minimum $$ - encoders are therefore not a > possibility (but I will keep that in mind for future apps :)) > > Thanks. > > On 1/30/03 9:55 AM, "Adam Voigt" <[EMAIL PROTECTED]> wrote: > > > > http://www.ioncube.com/ > > Encrypt PHP scripts (there pretty cheap to). > > On Thu, 2003-01-30 at 09:30, Mike Morton wrote: > I want to use the mcrypt functions to encrypt credit card > numbers for > storage in a mysql database, which mycrypt does admirably: > > $key = "this is a secret key"; > $input = "Let us meet at 9 o'clock at the secret place."; > $iv = mcrypt_create_iv (mcrypt_get_iv_size (MCRYPT_RIJNDAEL_256, > MCRYPT_MODE_CBC), MCRYPT_RAND); > > $encrypted_data = base64_encode(@mcrypt_encrypt > (MCRYPT_RIJNDAEL_256 , $key, > $input, MCRYPT_MODE_CBC,$iv)); > > The trouble is - the key and the IV. Both of these have to be > available in > the merchants administration for retrieval of the credit card, > thus need to > be stored somewhere - most likely on the server or in a > database. Here is > the problem - if someone gets to the database and retrieves the > encrypted > credit card, the chances are that they are able to also retrieve > the script > that did the encryption, thus find out where the key and IV are > stored, > making it simple to decrypt the credit card for them. > > The only solution that I can see is to use an asymetric > encryption and have > the merchant enter the decryption key at the time of credit card > retrieval - > but that is unrealistic for a User Interface point of view. > > So - the only other thing that I can see to do is have a > compiled program, > bound to the server, that has the key compiled into the program. > I am not a > C programmer - so this is also not exactly possible. > > Does anyone else have any answers or has anyone else run into > this? Is this > just a general problem with doing encryption through PHP as > opposed to a > compiled binary? Can anyone suggest a solution to this problem? > > Thanks :) > > > > > > > -- > Cheers > > Mike Morton > > **************************************************** > * > * E-Commerce for Small Business > * http://www.dxstorm.com > * > * DXSTORM.COM > * 824 Winston Churchill Blvd, > * Oakville, ON, CA L6J 7X2 > * Tel: 905-842-8262 > * Fax: 905-842-3255 > * Toll Free: 1-877-397-8676 > * > **************************************************** > > "Indeed, it would not be an exaggeration to describe the history of > the computer industry for the past decade as a massive effort to > keep up with Apple." > - Byte Magazine > > Given infinite time, 100 monkeys could type out the complete works > of > Shakespeare. Win 98 source code? Eight monkeys, five minutes. > -- NullGrey > > > -- > Adam Voigt ([EMAIL PROTECTED]) > The Cryptocomm Group > My GPG Key: http://64.238.252.49:8080/adam_at_cryptocomm.asc -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
