APM: GnuPG and Perl GnuPG Interface for (En/De)cryption Question (fwd)
____________________________________________________________________ Before a larger group can see the virtue of an idea, a smaller group must first understand it. "Stranger Suns" George Zebrowski The Armadillo Group ,::////;::-. James Choate Austin, Tx /:'///// ``::>/|/ ravage@ssz.com www.ssz.com .', |||| `/( e\ 512-451-7087 -====~~mm-'`-```-mm --'- -------------------------------------------------------------------- ---------- Forwarded message ---------- Date: Wed, 24 Jan 2001 16:56:02 -0600 From: David Bluestein II <dbii@mudpuddle.com> To: austin-pm@pm.org Subject: APM: GnuPG and Perl GnuPG Interface for (En/De)cryption Question I have a question. I want to use GnuPG (or any suitable open source alternative) to encrypt a credit card to store in a database. The client wants to decrypt them on the server and view them over an SSL connection. I can encrypt without a problem, but to decrypt I know I at least need the passphrase, but then that makes me leave the private key on the server (bad!). Is there a way to send both the passphrase and private key to the Perl GnuPG interface and have it decrypted in memory to send via SSL? We're trying to avoid having the client install the decryption software on their desktop (client's being such as they are) and just provide either the private key or the passphrase/Private key. Thanks- David ---------- David H. Bluestein II President & Lead Developer dbii@mudpuddle.com ii, inc. http://www.interaction.net - Specializing in Designing Interactive Websites - - and Searchable Internet Databases -
Isn't this really equivalent to using Conventional-only encryption instead of public-key encryption? Or is there some reason you want to keep a public key in the process? As with any customer-chosen passphrase, there's the wimpy-passphrase problem, but you could do something with salt to help strengthen it. And avoiding public key should speed up your protocol a good bit, though you've still got a public-key phase in your SSL. At 05:15 PM 1/24/01 -0600, Jim Choate Forwarded:
---------- Forwarded message ---------- Date: Wed, 24 Jan 2001 16:56:02 -0600 From: David Bluestein II <dbii@mudpuddle.com> To: austin-pm@pm.org Subject: APM: GnuPG and Perl GnuPG Interface for (En/De)cryption Question
I have a question. I want to use GnuPG (or any suitable open source alternative) to encrypt a credit card to store in a database. The client wants to decrypt them on the server and view them over an SSL connection. I can encrypt without a problem, but to decrypt I know I at least need the passphrase, but then that makes me leave the private key on the server (bad!). Is there a way to send both the passphrase and private key to the Perl GnuPG interface and have it decrypted in memory to send via SSL?
We're trying to avoid having the client install the decryption software on their desktop (client's being such as they are) and just provide either the private key or the passphrase/Private key.
Thanks-
David
---------- David H. Bluestein II President & Lead Developer dbii@mudpuddle.com ii, inc.
http://www.interaction.net - Specializing in Designing Interactive Websites - - and Searchable Internet Databases -
Thanks! Bill Bill Stewart, bill.stewart@pobox.com PGP Fingerprint D454 E202 CBC8 40BF 3C85 B884 0ABE 4639
Well here are two options: The elegant but somewhat painful method: 1. The client generates an encrypted credit card using the secret. The client opens an ssl session with the server and uploads the encrypted credit card to the server (this proc can be automated at the client machine so your client doesn't need to go through many steps). 2. When retrieving information, the client to opens an ssl session with the server, sends the private key manually (via ssl) to the server, and have the server process the decryption in memory. The above requires the client to both upload the credit card and the secret key to the server. The reference information you can use to locate the correct credit card could be the client's name or login name or address, etc. etc. The no so elegant but works almost all of the time method: 1. You enter the encrypted credit card number into the server database. 2. Client opens an SSL session with the server and submits the secret key (via ssl) to the server. server decrypts the credit card in memory and performs a Mod 10 check on the result (if it fails the mod 10, the decrypt didn't work because it isn't a valid credit card #). Another way to verify decryption is to store the last 1 digit of the credit card number and verify that against the decrypted card. The best way, if you're attached to a payment gateway, is to verify the validity of the card via the merchant bank (this can be done at no charge to the customer, but it costs the merchant a min. fee -- usually around $.25). Of course the best thing to do is to authenticate the client to the server and ask the server to retrieve only the record pertaining to that client via a covert channel (the trusted information kind, not the cia/nsa kind). Phillip -----Original Message----- From: owner-cypherpunks@Algebra.COM [mailto:owner-cypherpunks@Algebra.COM]On Behalf Of Jim Choate Sent: Wednesday, January 24, 2001 6:15 PM To: austin-cpunks@einstein.ssz.com Cc: cypherpunks@einstein.ssz.com Subject: APM: GnuPG and Perl GnuPG Interface for (En/De)cryption Question (fwd) ____________________________________________________________________ Before a larger group can see the virtue of an idea, a smaller group must first understand it. "Stranger Suns" George Zebrowski The Armadillo Group ,::////;::-. James Choate Austin, Tx /:'///// ``::>/|/ ravage@ssz.com www.ssz.com .', |||| `/( e\ 512-451-7087 -====~~mm-'`-```-mm --'- -------------------------------------------------------------------- ---------- Forwarded message ---------- Date: Wed, 24 Jan 2001 16:56:02 -0600 From: David Bluestein II <dbii@mudpuddle.com> To: austin-pm@pm.org Subject: APM: GnuPG and Perl GnuPG Interface for (En/De)cryption Question I have a question. I want to use GnuPG (or any suitable open source alternative) to encrypt a credit card to store in a database. The client wants to decrypt them on the server and view them over an SSL connection. I can encrypt without a problem, but to decrypt I know I at least need the passphrase, but then that makes me leave the private key on the server (bad!). Is there a way to send both the passphrase and private key to the Perl GnuPG interface and have it decrypted in memory to send via SSL? We're trying to avoid having the client install the decryption software on their desktop (client's being such as they are) and just provide either the private key or the passphrase/Private key. Thanks- David ---------- David H. Bluestein II President & Lead Developer dbii@mudpuddle.com ii, inc. http://www.interaction.net - Specializing in Designing Interactive Websites - - and Searchable Internet Databases -
participants (3)
-
Bill Stewart
-
Jim Choate
-
Phillip Zakas