using m2crypto to encrypt credit card numbers
Mark McEahern
marklists at mceahern.com
Thu Jun 13 09:08:32 EDT 2002
[John La Rooy]
> Whatever you use to identify the credit card number has to be
> guaranteed to be unique for each card number. A hash won't give
> you that. Perhaps you could use public key encryption. Encrypt
> the keys right away on the internet connected machine using a
> key pair. The private key is kept on a separate system and
> can recover the credit card numbers from the cipher.
Thanks for your reply. If you read my original post:
http://groups.google.com/groups?hl=en&lr=&ie=UTF8&oe=UTF8&selm=mailman.10237
48154.2706.python-list%40python.org
you'll see that's precisely the approach I sketched. My questions have to
do with:
o RSA padding
o key management
o seeding the encryption library with randomness via /dev/[u]random
> Every purchase made with the card will encrypt the number to the
> same ciphertext which you use to identify that card everywhere in
> your database.
For what it's worth, I have the cards stored in a table keyed by a
uniqueidentifier (guid). That's what I use (the guid, that is) to refer to
the credit card--not the actual cipher text. Same thing, in effect, I
suppose.
Cheers,
// mark
-
More information about the Python-list
mailing list