Encryption

[Panda On Smack]

Hey people

I need to store Credit Card info in MS SQL via ASP and want to encrypt it etc

It will be running on an SSL url so thats covered, its just encrypting the number for storage and then decrypting when needed.

Anybody done this before or got any pointers?

Thanks

 

[SheepCow]

There are a lot of 2-way encryption techniques. I don't know how many of them are actually worth using.

 

[phlash]

Are you absolutely sure you need to store the card details? My first reaction would be to avoid that entirely.

If you are sure, then do you need access to the card details while the card's owner is offline, or only when they are online to your site? This gives you the option of encrypting using a key supplied by the card owner (like an MD5 hash of their password), thus avoiding keeping any encryption keys on your system, and making stolen data much harder to crack. If you absolutely must be able to use their card details while they are offline (eg: regular billing for a service), then make sure the crypto key is not stored anywhere easily accessible from a hacked web front end (eg: on a system I worked on for a major telco, the database did all the encryption / decryption in stored proceedures, this database was behind a firewall and obtained it's crypto key dynamically from another system behind another firewall - the key was never saved on disk except at the original source, and the key was rotated regularly).

Edited to add: as for algorithms - Blowfish, AES, 3DES are all considered pretty secure.

HTH,
Phil

 

[Deebs]

3DES is not considered to be secure enough hence the new AES standard Rijndael being utilised.

Stay away from 3DES if you can and use AES256.

Are you absolutely sure you need to store the card details? My first reaction would be to avoid that entirely.

If you are sure, then do you need access to the card details while the card's owner is offline, or only when they are online to your site? This gives you the option of encrypting using a key supplied by the card owner (like an MD5 hash of their password), thus avoiding keeping any encryption keys on your system, and making stolen data much harder to crack. If you absolutely must be able to use their card details while they are offline (eg: regular billing for a service), then make sure the crypto key is not stored anywhere easily accessible from a hacked web front end (eg: on a system I worked on for a major telco, the database did all the encryption / decryption in stored proceedures, this database was behind a firewall and obtained it's crypto key dynamically from another system behind another firewall - the key was never saved on disk except at the original source, and the key was rotated regularly).

Edited to add: as for algorithms - Blowfish, AES, 3DES are all considered pretty secure.

HTH,
Phil

 

[phlash]

3DES is not considered to be secure enough hence the new AES standard Rijndael being utilised.

Stay away from 3DES if you can and use AES256.

Doh! Thanks Deebs

BTW - Panda - did this get anywhere?

 

[MKJ]

Hell - credit card details? Bugger that. There must be an alternative for sure.

Why?

 

[Panda On Smack]

I ended up just using WorldPay in the end as we use them already with the site

Thanks for the input though chaps, worth knowing.