Actually, the safest thing to do is never store the credit card
number in clear text at all. Decrypt it only when it needs to be
transmitted to the merchant bank, over their SSL connection.
That way if the file or data base the CCNs are stored in is ever
compromoised, you haven't lost the confidentiality of the credit
card numbers.
-----Original Message-----
From: Stefán F. Stefánsson [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, January 17, 2001 8:36 AM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: RE: TOMCAT ENCRYPTION OF CREDIT CARD NUMS???????
The only thing you probably need to do is make sure nobody can look at
the credit card information while it's being sent from the client to the
server. Regular HTTP is text based so everything going over the wire
can actually be read by a person, that person could be mr. Evil Man and
he could therefore see the credit card number in plain text. So what
you would need to do is encrypt the credit card number before it leaves
the client browser. The only (IMHO) decent way of doing this is to set
up an SSL connection with the client. What that means is you encrypt
everything that's going from the client and the server. This is done by
setting the webserver up to support SSL (HTTP over SSL is called HTTPS
and all urls begin with https://yadiyadiya.bla). I can't really give
you much more information about how you would set that up since I'm not
very familiar with how to set up parts of websites with https and other
parts with http. I could tell you how to encrypt all connections coming
in to your website but that is probably a big overhead since you
probably don't need to encrypt everything the user does on the web (what
he/she puts in his/her shopping cart or whatever) but just need to
encrypt the credit card number. You can find info on Tomcat SSL in
http://jakarta.apache.org/tomcat/jakarta-tomcat/src/doc/tomcat-ssl-howto
.html.
Now if you need to store the credit card encrypted in a database once
the server receives it then you should look at:
http://www.javasoft.com/products/jce/index.html
The recommended encrypt/decrypt algorithm would be an algorithm called
Tripple DES and you should probably be able to find something about it
somewhere on that site. Look at the API docs and especially at the
javax.crypto.Cipher class.
Hope this helps at all.
Regards, Stefan
p.s. it would be interesting to know exactly what you were meaning
though... do you need to encrypt the card number to store it in a
database or do you just need to encrypt the communication between
client/server?
-----Original Message-----
From: Mary McCarthy [mailto:[EMAIL PROTECTED]]
Sent: 17. janúar 2001 02:35
To: [EMAIL PROTECTED]
Subject: TOMCAT ENCRYPTION OF CREDIT CARD NUMS???????
Hi all,
Help badly needed by anyone with ANY information on the foollowing:
I am designing an online booking system using JSP, Java Beans and Tomcat
for
a project at uni.
Does anyone have any information on how to encrypt a credit card number
with
Tomcat in mind. Surely there is some code I code take from somewhere to
help
me. Credit card security is a side project on top of my booking system.
If
anyone knows of any documentation or code available on the web, please
mail
me as all I can seeem to find is companys offering to selll me their
security systems for $500!!!!!
A big thanks in advance!!
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]
<><><><><><><><><><><><><><><><><><><><><>This electronic mail transmission
may contain confidential information and is intended only for the person(s)
named. Any use, copying or disclosure by any other person is strictly
prohibited. If you have received this transmission in error, please notify
the sender via e-mail. <><><><><><><><><><><><><><><><><><><><><>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]
