MySQL Forums
Forum List  »  Security

Re: using mySQL to store credit card info
Posted by: Yuriy Pavlutkin
Date: May 08, 2006 04:33PM

There two ideas as to credit card info encryption.

1. Using ECB block mode (as mode of MySQL AES_Encrypt() / AES_Decrypt()) for credit card number encryption is not good idea . See http://bugs.mysql.com/bug.php?id=16714 and http://bugs.mysql.com/bug.php?id=16890 for more details. Literature proposes CBC block mode as more secure instead. It can be applied client-side (PHP, MS Access, C, ...) - GPL or BSD-licensed libraries are acceptible into the Net.

2. Encryption_password can be stored encrypted by user password for any user who need it. When user logon, Encryption_password is decrypted by user-logon-password and stored into the RAM. Encryption_password when stored into the memory can be additionally encrypted by session_password for current session (this is protection from Windows swap-file problem). Last case we get "nested" decryption: key for data decryption previously decrypted by session_password.

Protected connection to the server (SSL, SSH) is default thing.

I think, this schema is enough secure.

Options: ReplyQuote


Subject
Views
Written By
Posted
26912
February 03, 2005 03:44PM
7299
November 21, 2005 11:09PM
6738
November 29, 2005 05:51PM
Re: using mySQL to store credit card info
9249
May 08, 2006 04:33PM
5091
February 16, 2009 07:37PM


Sorry, you can't reply to this topic. It has been closed.

Content reproduced on this site is the property of the respective copyright holders. It is not reviewed in advance by Oracle and does not necessarily represent the opinion of Oracle or any other party.