Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl: the Markov chain saw
 
PerlMonks  

Re: **Another 2 questions: Encrypting forms and credit card numbers

by diotalevi (Canon)
on Feb 09, 2003 at 16:28 UTC ( [id://233918]=note: print w/replies, xml ) Need Help??


in reply to **Another 2 questions: Encrypting forms and credit card numbers
in thread Safe symmetric encryption - Crypt::CBC + Crypt::Blowfish?

On the general question I asked — theorbtwo had a wonderful suggestion that lets me completely avoid having to deal with encryption at all. If I had to use encrypted data then I wouldn't be able to cycle through keys at will since other people would be holding the encrypted data. The best comprimise might be to use new keys for new data and switch as the opportunity arised.

If you're curious, theorbtwo suggested that I store all the data myself and only pass out tokens which reference the stored data. To do this, I'd store a key, an incrementing counter and then publish counter values and the Digest::SHA1 value of counter+secret. This also lets me change the key at will since all I have to do is store the expected counter and hash. Since random data is precious I have no idea how often I'd get a new secret but its also overkill for this application.


Now, mattr. This whole credit card deal is a tricky business. My first suggestion to you is to subscribe to the secprog list on securityfocus.com. You are about to step right from the deep-end of the swimming pool into the Atlantic ocean. You are going to need to be well armed when you go back to your client and change the requirements (what you've described so far requires an unsecure configuration). Read the archive and especially read the entire thread named "PGP Scripting". It sounds like that person's problem somewhat parallels yours.

Now here's my inexpert analysis (but augmented by what I've learned from being on that list). You cannot allow the server to decrypt the data. Ever. The key ideas to follow here are obfuscation and barriers. You're installing a level of obfuscation by doing things that might make the job technically more difficult but will not stop a determined attacker (oh yes, you must also write up an attack summary). This includes any use of encryption on the server where an attacker can decrypt your data.

The other level: a barrier is where you need to get to. The difficulty is that this is difficult. In general, your best bet is to use some form of encryption on the unsecure server, send the data elsewhere and on unrelated networks, only then can you decrypt the data and it never goes back to the front-facing server. This of course, implies that your application can never deliver plaintext card data. Your user cannot enter a password to get the data. That's just bad design. What you might do is restrict access to the encrypted data and then have your user do the decryption.

I think your question is too important and too hairy to be addressed by me in a response thread to an unrelated question. Ask in a new SoPW question and ask on the secprog list. I'm suggesting both because while the secprog list will probably furnish better answers the perl folk here will benefit by whatever gems are mentioned in responses but since secprog is chock full of people whose job it is to think of these problems, it'll have superior answers, generally.


Seeking Green geeks in Minnesota

Replies are listed 'Best First'.
Re: Re: **Another 2 questions: Encrypting forms and credit card numbers
by mattr (Curate) on Feb 10, 2003 at 14:41 UTC
    Thank you very much for your detailed response. I understand what you are saying and of course I could provide a perl app to run on the adminitrator's local machine which would decrypt a downloaded csv file.

    I do require ssl and a login to get to the management page, though hearing your opinion I would be inclined to be doubly sure I am not storing password as plaintext. Also I have a different login/password for the staff and for the manager(s) at the company who actually need to see the credit card numbers. Question of whether that is enough or not. Considering it's just a junky virtual host account somewhere I guess the admin can do many bad things to it, but I think getting the cc numbers would require that either he can listen in on the script's decrypting process (possible if he changes my code) or crack the ssl session (I don't think so but hey it's his openssl).

    My insights so far: I need to ask a SOPW and immediately plan on providing a perl utility (hopefully perlcc since installing perl might be a hassle) then try some perl gui-ness.. can you spell ballooning?

    Oh the insights from that thread, right.. it is not tamperproof hardware, memory is not safe especially since I'm not root. Also I don't have time to look at strings /dev/kmem or looking at /proc/*/kmem or ptrace which I guess maybe someone could do if they're really quick while script is executing for a few seconds a day. Realistically this is really not a problem for my current app but what if I used the same system for something bigger in the future.. Okay I'm only half way through and it is a long thread. I think the question to ask (think I know the answer already though) is how safe is perl when decrypting from remote machine over ssl? If I get more insights from rest of thread will update here. Thanks.

    This post I'm not familiar with the systems he mentions. Sounds like something a bit magical which is definitely not going to be available on a cheap provider anyway.

      Prepended I am going to follow this up with more detail later - I'm off to work and don't have time to drop anything except the briefest of notes

      Actually... that was the really short and abbreviated answer. I gave only the merest sketch of an outline of where the answer might be. From what you've said it sounds like you should be paying a billing company to handle this for you. You are not equipped to solve this problem given the resource limits you've intimated at. You have no business taking people's credit cards at whatever site this is. Shame on you if you do. This is a good time to familiarize yourself with Abigail's Oath.


      Seeking Green geeks in Minnesota

        Sorry I think you've misplaced your moral authority somewhere. I didn't ask for you to shame me and am perfectly capable of making a balanced choice between development costs, client requests, potential losses, and real security levels acheived. Something you can't since you don't know the whole story. So not shamed, thanks anyway.

        To assuage your and other people's fears, this is a relatively low volume signup form for a seminar which shold run for a couple months on a virtual hosting site. It is mainly for domestic people who are not offered a credit card option, but the English page will have that option for a very small number of people, like maybe 5 or 10 people.

        The information you provided was useful in that the point (with which I was already familiar in fact) was stressed that a machine you don't own is far less secure than one you do own behind a firewall.

        My main question was about which modules were best, and I am also taking the additional information to heart and considering providing a client-side perl system to decrypt. However I will be discussing this with the project manager as I happen to be getting this as a low budget outsourced project which had this tacked on at the end, though if it goes well my system may be used for more projects in the future. And I am generally extremely responsible and the security advocate for this 50 person company.

        Likely the decision will be to temporarily provide an online decrypt session function as I mentioned, where private key is inputted into a form over ssl by a manager, until transitioned out of that. (Probably this transition to be completed before actual launch if possible).

        Typical risk management calculations make this the most intelligent course and I am willing to invest for free in providing an offline decrypt. It might even be a competitive advantage in the future too. However I have to consider the best way to package this for easy installation on a windows pc without me being there. It has been obvious to me for a long time that a real e-commerce site needs to do decryption offline and preferably with an air gap. This project wasn't really supposed to handle sensitive information but now I am trying to make a balanced decision. I probably will also suggest that a note is added to the English site that the user may fax card numbers to the office from overseas if they wish to do so instead, and explain how they may wish to just do all credit cards by fax instead as there is very little development budget.

        If anyone can relate their experience with using Perl public key encryption modules, or about an easy way to accomplish this offline decrypt app it would be much appreciated. Just so you know where my thinking is, it would be nice to have a gui but I don't want to mess with Tk or WxPerl unless it is going to be very quick and I know it won't be. It might be more work but also I could imagine cygwin1.dll, a cygwin apache, and a perl cgi solution running on a local pc. But that may have too many potential setup problems (e.g. their firewall software, different cpus, temptation to spread data around several machines, etc.). So a simple application (maybe even a freeware utility which already can do this) would be best.

        Thank you very much for your pointers and please rest assured that I'll do "the right thing". Despite this project actually being way over budget / under scheduled, (nothing new there). I think this information will be very useful to others who are in the same position. Any concrete information (code is also nice) on how to bring development time down to an absolute minimum on this without sacrificing security would be extremely helpful, as I prefer not to reinvent the wheel. Thanks again.

        Sincerely,
        Matt

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://233918]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others browsing the Monastery: (4)
As of 2024-03-28 23:20 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found