APM: GnuPG and Perl GnuPG Interface for (En/De)cryption Question (fwd)
____________________________________________________________________
Before a larger group can see the virtue of an idea, a
smaller group must first understand it.
"Stranger Suns"
George Zebrowski
The Armadillo Group ,::////;::-. James Choate
Austin, Tx /:'///// ``::>/|/ ravage@ssz.com
www.ssz.com .', |||| `/( e\ 512-451-7087
-====~~mm-'`-```-mm --'-
--------------------------------------------------------------------
---------- Forwarded message ----------
Date: Wed, 24 Jan 2001 16:56:02 -0600
From: David Bluestein II
Isn't this really equivalent to using Conventional-only encryption instead of public-key encryption? Or is there some reason you want to keep a public key in the process? As with any customer-chosen passphrase, there's the wimpy-passphrase problem, but you could do something with salt to help strengthen it. And avoiding public key should speed up your protocol a good bit, though you've still got a public-key phase in your SSL. At 05:15 PM 1/24/01 -0600, Jim Choate Forwarded:
---------- Forwarded message ---------- Date: Wed, 24 Jan 2001 16:56:02 -0600 From: David Bluestein II
To: austin-pm@pm.org Subject: APM: GnuPG and Perl GnuPG Interface for (En/De)cryption Question I have a question. I want to use GnuPG (or any suitable open source alternative) to encrypt a credit card to store in a database. The client wants to decrypt them on the server and view them over an SSL connection. I can encrypt without a problem, but to decrypt I know I at least need the passphrase, but then that makes me leave the private key on the server (bad!). Is there a way to send both the passphrase and private key to the Perl GnuPG interface and have it decrypted in memory to send via SSL?
We're trying to avoid having the client install the decryption software on their desktop (client's being such as they are) and just provide either the private key or the passphrase/Private key.
Thanks-
David
---------- David H. Bluestein II President & Lead Developer dbii@mudpuddle.com ii, inc.
http://www.interaction.net - Specializing in Designing Interactive Websites - - and Searchable Internet Databases -
Thanks! Bill Bill Stewart, bill.stewart@pobox.com PGP Fingerprint D454 E202 CBC8 40BF 3C85 B884 0ABE 4639
Well here are two options:
The elegant but somewhat painful method:
1. The client generates an encrypted credit card using the secret. The
client opens an ssl session with the server and uploads the encrypted credit
card to the server (this proc can be automated at the client machine so your
client doesn't need to go through many steps).
2. When retrieving information, the client to opens an ssl session with the
server, sends the private key manually (via ssl) to the server, and have the
server process the decryption in memory.
The above requires the client to both upload the credit card and the secret
key to the server. The reference information you can use to locate the
correct credit card could be the client's name or login name or address,
etc. etc.
The no so elegant but works almost all of the time method:
1. You enter the encrypted credit card number into the server database.
2. Client opens an SSL session with the server and submits the secret key
(via ssl) to the server. server decrypts the credit card in memory and
performs a Mod 10 check on the result (if it fails the mod 10, the decrypt
didn't work because it isn't a valid credit card #). Another way to verify
decryption is to store the last 1 digit of the credit card number and verify
that against the decrypted card. The best way, if you're attached to a
payment gateway, is to verify the validity of the card via the merchant bank
(this can be done at no charge to the customer, but it costs the merchant a
min. fee -- usually around $.25).
Of course the best thing to do is to authenticate the client to the server
and ask the server to retrieve only the record pertaining to that client via
a covert channel (the trusted information kind, not the cia/nsa kind).
Phillip
-----Original Message-----
From: owner-cypherpunks@Algebra.COM
[mailto:owner-cypherpunks@Algebra.COM]On Behalf Of Jim Choate
Sent: Wednesday, January 24, 2001 6:15 PM
To: austin-cpunks@einstein.ssz.com
Cc: cypherpunks@einstein.ssz.com
Subject: APM: GnuPG and Perl GnuPG Interface for (En/De)cryption
Question (fwd)
____________________________________________________________________
Before a larger group can see the virtue of an idea, a
smaller group must first understand it.
"Stranger Suns"
George Zebrowski
The Armadillo Group ,::////;::-. James Choate
Austin, Tx /:'///// ``::>/|/ ravage@ssz.com
www.ssz.com .', |||| `/( e\ 512-451-7087
-====~~mm-'`-```-mm --'-
--------------------------------------------------------------------
---------- Forwarded message ----------
Date: Wed, 24 Jan 2001 16:56:02 -0600
From: David Bluestein II
participants (3)
-
Bill Stewart
-
Jim Choate
-
Phillip Zakas