I got some code from this very site demonstrating how to do credit card
encryption and I was wondering if someone here could help me understand
the code.
def crypt_number
c = cipher
c.encrypt
c.key = key
c.iv = self.iv = generate_iv(passphrase)
end
def cipher
Open::Cipher::Cipher.new(“aes-256-cbc”)
end
def key
Digest::SHA256.digest(@@CreditCardSecretKey)
end
def generate_iv(Passphrase)
encode_into_base64(DIgest::SHA1.hexdigest(passphrase))
end
def encode_into_base64
Base64.encode64(string).chomp
end
I am trying to understand the basics about encryption. I’m not sure if
this code is even something I can use, I just want to better understand
so I can write my own program as needed.
I guess the parts that I am confused about are c = cipher and what c.iv
= self.iv = generate_iv(passphrase) is doing. I understand that the
c.encrypt is just encrypting the credit card number, just not about the
rest. Is the c = cipher saying how the long the key will be? And I have
no idea about what the c.iv stuff is doing. Thanks,
the
rest. Is the c = cipher saying how the long the key will be? And I
have
no idea about what the c.iv stuff is doing. Thanks,
c = cipher is just caller the cipher method defined above, which just
does Open::Cipher::Cipher.new(“aes-256-cbc”), i.e. give me a new
cipher object that does 256bit AES in CBC mode. c.encrypt says that
you want to encrypt and the iv is the initialization vector. You can
read up on that if you want, essentially it’s just one of the
parameters for the encryption
The code uses sha256 to hash the secret key, then uses aes-256 (aes
cipher with a 256-bit key) in cbc mode which means cipher block
chaining. This does not mean you are using a 256-bit key. If you hash
“1234” you have at BEST a 8 bit or so key. I would use a string that
is randomly generated using strong random sources and make it a long
string.
The cipher used is symmetric so if the server encrypts the cc number
it can also decrypt it. You probably do not want thatcas anyone who
can get your database probably has your code too.
Really, huge problems always occur when someone who knows little of
cryptosystems and how to apply them runs off and writes something.
This is now meant as an insult. I believe if you need this
functionality the questions you are asking lead me to believe you are
not yet ready to do it yourself.
–Michael
On Nov 26, 2007, at 8:11, Shandy N. <rails-mailing-list@andreas-
I agree with Michael above. Start by reading “Applied Cryptography” by
Bruce Schneier (http://www.schneier.com/).
Best regards, Ricardo
Thanks for the link. I know that I am may not be ready to do it myself
but everyone has to start somewhere. Also, I have a boss who knows what
he wants and how to do it and the fact that he is very knowledgable,
especially when it comes to cryptography, leads me to beleive that I’ll
be fine. I do appreciate all the advice though.
There are certain laws and guidelines about storing credit cards. First,
any
credit card that is stored on your machine that is stolen without being
a
certified server runs the risk of not being covered by insurance and you
could be held liable.
Just don’t store credit card numbers. Store the transaction ID, it’s
just as
good to do pre-auths, purchases, and returns, but you won’t be able to
do
1-click ordering with saved credit cards. If do you, then research it
more
on Google for PCI Compliance.
he wants and how to do it and the fact that he is very knowledgable,
especially when it comes to cryptography, leads me to beleive that I’ll
be fine. I do appreciate all the advice though.