GnuPG and Perl GnuPG Interface for (En/De)cryption Question (fwd)
Phillip Zakas
pzakas at toucancapital.com
Wed Jan 24 16:25:10 PST 2001
Well here are two options:
The elegant but somewhat painful method:
1. The client generates an encrypted credit card using the secret. The
client opens an ssl session with the server and uploads the encrypted credit
card to the server (this proc can be automated at the client machine so your
client doesn't need to go through many steps).
2. When retrieving information, the client to opens an ssl session with the
server, sends the private key manually (via ssl) to the server, and have the
server process the decryption in memory.
The above requires the client to both upload the credit card and the secret
key to the server. The reference information you can use to locate the
correct credit card could be the client's name or login name or address,
etc. etc.
The no so elegant but works almost all of the time method:
1. You enter the encrypted credit card number into the server database.
2. Client opens an SSL session with the server and submits the secret key
(via ssl) to the server. server decrypts the credit card in memory and
performs a Mod 10 check on the result (if it fails the mod 10, the decrypt
didn't work because it isn't a valid credit card #). Another way to verify
decryption is to store the last 1 digit of the credit card number and verify
that against the decrypted card. The best way, if you're attached to a
payment gateway, is to verify the validity of the card via the merchant bank
(this can be done at no charge to the customer, but it costs the merchant a
min. fee -- usually around $.25).
Of course the best thing to do is to authenticate the client to the server
and ask the server to retrieve only the record pertaining to that client via
a covert channel (the trusted information kind, not the cia/nsa kind).
Phillip
-----Original Message-----
From: owner-cypherpunks at Algebra.COM
[mailto:owner-cypherpunks at Algebra.COM]On Behalf Of Jim Choate
Sent: Wednesday, January 24, 2001 6:15 PM
To: austin-cpunks at einstein.ssz.com
Cc: cypherpunks at einstein.ssz.com
Subject: APM: GnuPG and Perl GnuPG Interface for (En/De)cryption
Question (fwd)
____________________________________________________________________
Before a larger group can see the virtue of an idea, a
smaller group must first understand it.
"Stranger Suns"
George Zebrowski
The Armadillo Group ,::////;::-. James Choate
Austin, Tx /:'///// ``::>/|/ ravage at ssz.com
www.ssz.com .', |||| `/( e\ 512-451-7087
-====~~mm-'`-```-mm --'-
--------------------------------------------------------------------
---------- Forwarded message ----------
Date: Wed, 24 Jan 2001 16:56:02 -0600
From: David Bluestein II <dbii at mudpuddle.com>
To: austin-pm at pm.org
Subject: APM: GnuPG and Perl GnuPG Interface for (En/De)cryption Question
I have a question. I want to use GnuPG (or any suitable open source
alternative) to encrypt a credit card to store in a database. The client
wants to decrypt them on the server and view them over an SSL connection. I
can encrypt without a problem, but to decrypt I know I at least need the
passphrase, but then that makes me leave the private key on the server
(bad!). Is there a way to send both the passphrase and private key to the
Perl GnuPG interface and have it decrypted in memory to send via SSL?
We're trying to avoid having the client install the decryption software on
their desktop (client's being such as they are) and just provide either the
private key or the passphrase/Private key.
Thanks-
David
----------
David H. Bluestein II President & Lead Developer
dbii at mudpuddle.com ii, inc.
http://www.interaction.net
- Specializing in Designing Interactive Websites -
- and Searchable Internet Databases -
More information about the cypherpunks-legacy
mailing list