[PYTHON-CRYPTO] encrypting credit card numbers
Mark McEahern
marklists at MCEAHERN.COM
Tue Jun 11 19:38:46 CEST 2002
I need to encrypt credit card numbers. When the card number arrives at the
web server, I plan to encrypt it with a public key and send it to a database
the web server only has write access to. Then, later, a separate server
reads the encrypted card number, decrypts it with the private key, and sends
it to the payment processor.
I'm not a cryptography expert.
I've found two packages that offer public key encryption for Python:
M2Crypto (http://www.post1.com/home/ngps/m2/)
amk's Crypto toolkit (http://www.amk.ca/python/code/crypto.html)
Both offer an implementation of RSA. In the preliminary searching I've done
on RSA, there seems to be an issue related to padding. The M2Crypto
encrypt/decrypt methods have an option to specify a type of padding (e.g.,
pkcs1_padding). amk's Crypto offers no such options.
Do I have to worry about padding?
Are there recommended strategies for padding in amk's Crypto with RSA?
Simplistically, I would probably add a fixed amount of random information to
the credit card number before encrypting it. Is that sufficient?
The thing I'm most leery about is key management. M2Crypto provides a way
to protect the private key with a passphrase. amk's Crypto suggests using
pickle to save the key(s). I suppose I could use SHA to generate a key from
a passphrase, and then use that key to symmetrically encrypt the private key
data before I save it to a file. Of course, how does the batch process for
sending payment information to the payment processor get access to the
private key? I haven't resolved that issue. Worst case scenario is the
batch has to wait until someone types in the passphrase to unlock the
private key.
Can anybody point me to resources for key management?
Any other feedback, comments, suggestions would be most helpful.
Thanks,
// mark
-
More information about the python-crypto
mailing list