[PLUG] Encrypted data pass-phrase
Jason R. Martin
nsxfreddy at gmail.com
Sat Jul 22 15:48:54 UTC 2006
On 7/20/06, Roderick A. Anderson <raanders at acm.org> wrote:
> If that isn't vague enough I'll try to confuse it some more with details.
>
> I'm working on a system that needs to run charges against customers
> credit cards periodically or sporadically. This will typically be more
> than one card at a time at a time and could happen anywhere from once a
> year to twice a day.
>
> The CC numbers are encrypted before being stored.
>
> We'd prefer to not have someone sitting at the console :-) entering the
> pass-phrase for each run.
>
> We've come up with several ideas how to make this fairly secure and
> hands-off but I have the impression several on the list have done
> something similar and might have other ( better ) ideas.
I don't have any specific recommendations. However, I'll point out
that a false sense of security is worse than no sense of security.
Encryption is easily mis-used, and by its very nature gives a sense of
security that may or may not be deserved. If the passphrase/key for
the encrypted data is stored on the same system as the encrypted data,
and that system is compromised, then there is no value added by the
encryption.
You may want to consider an independent security assessment of the
system before going live with anything.
Jason
More information about the PLUG
mailing list