On Wed, 13 Mar 2002 16:40:41 -0000
"Greg Sabino Mullane" <greg@turnstep.com> wrote:
> However, it fails to protect against someone breaking into the application
> box and getting the encryption key and/or reading credit card numbers after
> they are decrypted. Unfortunately, there is no simple way to defend against
> this, besides the obvious securing of the box, because at some point the
> application will need the credit card information "in the clear." You can
How about having the form public-key encrypt the data, then store that in
a db? The private key is on the ordering box, which is locked down as tight
as possible.
To get the info, you have to get into the ordering box (which only connects
to other machines, and allows no incoming connections at all), or get
into the web server and send a SEGV to the web server (or cgi, etc) and
dig through the core dump.
I plan on setting up a web-based account registration system like this...
someday.
----------------------------------------------------------------------
| Jim Hranicky, Senior SysAdmin UF/CISE Department |
| E314D CSE Building Phone (352) 392-1499 |
| jfh@cise.ufl.edu http://www.cise.ufl.edu/~jfh |
----------------------------------------------------------------------