Hi all, I got some code from this very site demonstrating how to do credit card encryption and I was wondering if someone here could help me understand the code. def crypt_number c = cipher c.encrypt c.key = key c.iv = self.iv = generate_iv(passphrase) end def cipher Open::Cipher::Cipher.new("aes-256-cbc") end def key Digest::SHA256.digest(@@CreditCardSecretKey) end def generate_iv(Passphrase) encode_into_base64(DIgest::SHA1.hexdigest(passphrase)) end def encode_into_base64 Base64.encode64(string).chomp end I am trying to understand the basics about encryption. I''m not sure if this code is even something I can use, I just want to better understand so I can write my own program as needed. I guess the parts that I am confused about are c = cipher and what c.iv = self.iv = generate_iv(passphrase) is doing. I understand that the c.encrypt is just encrypting the credit card number, just not about the rest. Is the c = cipher saying how the long the key will be? And I have no idea about what the c.iv stuff is doing. Thanks, -S -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
On 26 Nov 2007, at 16:11, Shandy Nantz wrote:> > I am trying to understand the basics about encryption. I''m not sure if > this code is even something I can use, I just want to better > understand > so I can write my own program as needed. > > I guess the parts that I am confused about are c = cipher and what > c.iv > = self.iv = generate_iv(passphrase) is doing. I understand that the > c.encrypt is just encrypting the credit card number, just not about > the > rest. Is the c = cipher saying how the long the key will be? And I > have > no idea about what the c.iv stuff is doing. Thanks,c = cipher is just caller the cipher method defined above, which just does Open::Cipher::Cipher.new("aes-256-cbc"), i.e. give me a new cipher object that does 256bit AES in CBC mode. c.encrypt says that you want to encrypt and the iv is the initialization vector. You can read up on that if you want, essentially it''s just one of the parameters for the encryption Fred> > > -S > -- > Posted via http://www.ruby-forum.com/. > > --~--~---------~--~----~------------~-------~--~----~ > You received this message because you are subscribed to the Google > Groups "Ruby on Rails: Talk" group. > To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org > To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org > For more options, visit this group at http://groups.go--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
The code uses sha256 to hash the secret key, then uses aes-256 (aes cipher with a 256-bit key) in cbc mode which means cipher block chaining. This does not mean you are using a 256-bit key. If you hash "1234" you have at BEST a 8 bit or so key. I would use a string that is randomly generated using strong random sources and make it a long string. The cipher used is symmetric so if the server encrypts the cc number it can also decrypt it. You probably do not want thatcas anyone who can get your database probably has your code too. Really, huge problems always occur when someone who knows little of cryptosystems and how to apply them runs off and writes something. This is now meant as an insult. I believe if you need this functionality the questions you are asking lead me to believe you are not yet ready to do it yourself. --Michael On Nov 26, 2007, at 8:11, Shandy Nantz <rails-mailing-list@andreas- s.net> wrote:> > Hi all, > > I got some code from this very site demonstrating how to do credit > card > encryption and I was wondering if someone here could help me > understand > the code. > > def crypt_number > c = cipher > c.encrypt > c.key = key > c.iv = self.iv = generate_iv(passphrase) > end > > def cipher > Open::Cipher::Cipher.new("aes-256-cbc") > end > > def key > Digest::SHA256.digest(@@CreditCardSecretKey) > end > > def generate_iv(Passphrase) > encode_into_base64(DIgest::SHA1.hexdigest(passphrase)) > end > > def encode_into_base64 > Base64.encode64(string).chomp > end > > I am trying to understand the basics about encryption. I''m not sure if > this code is even something I can use, I just want to better > understand > so I can write my own program as needed. > > I guess the parts that I am confused about are c = cipher and what > c.iv > = self.iv = generate_iv(passphrase) is doing. I understand that the > c.encrypt is just encrypting the credit card number, just not about > the > rest. Is the c = cipher saying how the long the key will be? And I > have > no idea about what the c.iv stuff is doing. Thanks, > > -S > -- > Posted via http://www.ruby-forum.com/. > > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
I agree with Michael above. Start by reading "Applied Cryptography" by Bruce Schneier (http://www.schneier.com/). Best regards, Ricardo On Nov 26, 2:26 pm, M Graff <skan.gryp...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> The code uses sha256 to hash the secret key, then uses aes-256 (aes > cipher with a 256-bit key) in cbc mode which means cipher block > chaining. This does not mean you are using a 256-bit key. If you hash > "1234" you have at BEST a 8 bit or so key. I would use a string that > is randomly generated using strong random sources and make it a long > string. > > The cipher used is symmetric so if the server encrypts the cc number > it can also decrypt it. You probably do not want thatcas anyone who > can get your database probably has your code too. > > Really, huge problems always occur when someone who knows little of > cryptosystems and how to apply them runs off and writes something. > This is now meant as an insult. I believe if you need this > functionality the questions you are asking lead me to believe you are > not yet ready to do it yourself. > > --Michael > > On Nov 26, 2007, at 8:11, Shandy Nantz <rails-mailing-list@andreas- > > s.net> wrote: > > > Hi all, > > > I got some code from this very site demonstrating how to do credit > > card > > encryption and I was wondering if someone here could help me > > understand > > the code. > > > def crypt_number > > c = cipher > > c.encrypt > > c.key = key > > c.iv = self.iv = generate_iv(passphrase) > > end > > > def cipher > > Open::Cipher::Cipher.new("aes-256-cbc") > > end > > > def key > > Digest::SHA256.digest(@@CreditCardSecretKey) > > end > > > def generate_iv(Passphrase) > > encode_into_base64(DIgest::SHA1.hexdigest(passphrase)) > > end > > > def encode_into_base64 > > Base64.encode64(string).chomp > > end > > > I am trying to understand the basics about encryption. I''m not sure if > > this code is even something I can use, I just want to better > > understand > > so I can write my own program as needed. > > > I guess the parts that I am confused about are c = cipher and what > > c.iv > > = self.iv = generate_iv(passphrase) is doing. I understand that the > > c.encrypt is just encrypting the credit card number, just not about > > the > > rest. Is the c = cipher saying how the long the key will be? And I > > have > > no idea about what the c.iv stuff is doing. Thanks, > > > -S > > -- > > Posted viahttp://www.ruby-forum.com/.--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Sazima wrote:> I agree with Michael above. Start by reading "Applied Cryptography" by > Bruce Schneier (http://www.schneier.com/). > > Best regards, RicardoThanks for the link. I know that I am may not be ready to do it myself but everyone has to start somewhere. Also, I have a boss who knows what he wants and how to do it and the fact that he is very knowledgable, especially when it comes to cryptography, leads me to beleive that I''ll be fine. I do appreciate all the advice though. -S -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
There are certain laws and guidelines about storing credit cards. First, any credit card that is stored on your machine that is stolen without being a certified server runs the risk of not being covered by insurance and you could be held liable. Just don''t store credit card numbers. Store the transaction ID, it''s just as good to do pre-auths, purchases, and returns, but you won''t be able to do 1-click ordering with saved credit cards. If do you, then research it more on Google for PCI Compliance. Nathaniel. On 11/27/07, Shandy Nantz <rails-mailing-list-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org> wrote:> > > Sazima wrote: > > I agree with Michael above. Start by reading "Applied Cryptography" by > > Bruce Schneier (http://www.schneier.com/). > > > > Best regards, Ricardo > > Thanks for the link. I know that I am may not be ready to do it myself > but everyone has to start somewhere. Also, I have a boss who knows what > he wants and how to do it and the fact that he is very knowledgable, > especially when it comes to cryptography, leads me to beleive that I''ll > be fine. I do appreciate all the advice though. > > -S > -- > Posted via http://www.ruby-forum.com/. > > > >-- Nathaniel Steven Henry Brown 604-724-6624 --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---