[英]Storing credit card details with mcrypt or GnuPG
I have a requirement to store credit card details (not storing is NOT an option). 我要求存储信用卡详细信息(不存储不是一种选择)。
Using mcrypt with mcrypt_dev_random to generate init_vector takes varying ages to encrypt/decrypt but seems is the most 'secure' option. 使用mcrypt和mcrypt_dev_random生成init_vector需要不同的年龄来加密/解密,但似乎是最“安全”的选项。 mcrypt_dev_urandom MUCH quicker but not suitable for long term storage - as I have read.
mcrypt_dev_urandom更快,但不适合长期存储 - 正如我读过的那样。
Looking at GnuPG as a possible alternative and would like some opinions/heads up on these if possible. 将GnuPG视为一种可能的替代方案,并希望在可能的情况下提出一些意见/提出意见。
If you really want to store credit card information securely, there's a standard for it: Payment Card Industry Data Security Standard . 如果您真的想要安全地存储信用卡信息,那么就有一个标准: 支付卡行业数据安全标准 。 And it's a lot more involved than using one specific encryption algorithm.
这是一个很多比使用一个特定的加密算法更复杂。
It requires you to store parts of the card details on two physically separate machines,
among many other things.
它要求您将卡的详细信息部分存储在两台物理上独立的机器上,
以及许多其他内容。 And even if you follow the PCI standard to the letter, experts argue you're still not entirely secured. 即使你遵循PCI标准,专家也认为你仍然没有完全安全。 Anything less than that is pretty much not worth discussing in detail, since the overall level of security is so low that it hardly makes a difference.
除此之外的任何事情都不值得详细讨论,因为整体安全水平很低,几乎没有什么区别。
Remember: the First Rule of Cryptography is "don't do it yourself". 请记住:密码学的第一条规则是“不要自己动手”。
MCRYPT_DEV_URANDOM
is enough for robust encryption , but "managing credit card information" is a much more complicated affair than simply " encrypt 'em all and let God sort out His own ". MCRYPT_DEV_URANDOM
是足够强大的加密功能 ,但“管理的信用卡信息”比单纯一个更加复杂的事情“ 加密“他们所有,并让神理清自己的 ”。
That "not storing is NOT an option" sounds to me as if you (or better, those above you ) Are Doing It Wrong. “不存储不是一种选择”对我来说听起来好像你(或更好, 那些在你之上的人 )正在做错了。 You should not be researching this, or be the one to propose a solution.
你 不应该研究这个,或者是提出解决方案的人。 Do not be the fall guy.
不要成为堕落的家伙。
https://www.pcisecuritystandards.org/merchants/how_to_be_compliant.php https://www.pcisecuritystandards.org/merchants/how_to_be_compliant.php
For you the most important question is, what you need for PCI compliance. 对您而言,最重要的问题是,PCI合规性需要什么。 Don't produce some homebrew encryption.
不要产生一些自制加密。 Read up on what it requires, and preferable delegate the credit card stuff to a specialized payment processor.
阅读它需要的内容,并且最好将信用卡内容委托给专门的支付处理器。
Using mcrypt with mcrypt_dev_random to generate init_vector takes varying ages to encrypt/decrypt but seems is the most 'secure' option.
使用mcrypt和mcrypt_dev_random生成init_vector需要不同的年龄来加密/解密,但似乎是最“安全”的选项。 mcrypt_dev_urandom MUCH quicker but not suitable for long term storage - as I have read.
mcrypt_dev_urandom更快,但不适合长期存储 - 正如我读过的那样。
This shows some misunderstandings. 这表明存在一些误解。 For one an IV doesn't need to be secret.
对于一个IV,不需要保密。 The quality of random numbers is less important.
随机数的质量不太重要。
But even for keys, /dev/urandom
is good enough, provided it was seeded with sufficient entropy initially. 但即使对于密钥,
/dev/urandom
也足够好,只要它最初用足够的熵播种。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.