[PYTHON-CRYPTO] credit card encryption

[Mark McEahern]

[Paul Rubin]
> It sounds to me like you're dealing with two different problems:
>
> 1) protecting the secret key on the web server--that's easy, don't
>    have a secret key there.  That's presumably why you're using public
>    key encryption.

Yes, that's correct.  My plan is to store the public key on the web
server--NOT the private key.

> 2) Protecting the key on the separate server that talks to the payment
>    processor.  Is that done over the internet?  Is it a manual process?

The payment processor provides a binary that talks to it via SSL.  We have a
Python C extension that talks to that.  Ideally, the process could be both
automated and relatively secure.  Those may be mutually exclusive.  ;-)

>    The simplest approach is keep that server disconnected from the
>    internet except when processing payments (I'm imagining a daily
>    upload).  Unfortunately that means you can't do online card
> verification
>    when the customer places the order (it's nice to tell them right
>    away that their card was declined, because they entered the wrong
>    zip code or something like that).

We want to do authorize/settle stuff asynchronously from the customer
placing an order, so this is not an issue.  It will be a batch process, but
the question is whether that batch requires human intervention to succeed
(e.g., the human types in the passphrase that unlocks the private key for
one batch).

>  If you have to keep the payment
>    server online, firewall it so that it can't talk to anything except
>    the card processor and the web server.  Better yet, don't connect
>    it to the web server by TCP/IP.  Connect it by serial port instead,
>    to further lower the chance of anyone rooting the payment server
>    by breaking through some TCP service.

This is helpful.  We haven't figured out the exact network layout, but it
will most certainly be locked down more than the web servers.  ;-)

> The really hardcore way protect online secret keys is by generating
> and storing them in a crypto hardware module.  See for example
> www.ibutton.com (look at the java crypto ibuttons) for examples.
> You're supposed to do this if you're processing a lot of transactions
> or storing a lot of card numbers (like 100's of thousands).

If we get to that point, we'll worry about more fancy stuff.  I'm trying to
design something that is reasonably secure for thousands, tens of thousands,
of credit cards.  For what we're doing, that scale would be wildly
successful.

> I don't mean to be looking for opportunities to plug my own code but I
> also have a library documented at
>
>     http://www.nightsong.com/phr/python/crypto.txt
>
> which is written in pure Python.

Awesome.  I'm least concerned about performance at this point.  I just want
to make sure I take proper precautions, etc.

Thanks,

// mark

-