cayenne-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Aristedes Maniatis <...@ish.com.au>
Subject Re: Encrypted Fields
Date Sat, 07 Feb 2009 21:46:30 GMT
Except that credit cards are not a good example here. Speak to your  
gateway provider, but here in Australia they all let you run  
transactions against the same credit card *without storing the card  
number/expiry date/cvv*. Instead you store the previous transaction  
reference and you can use that to process future card payments between  
that card and the same merchant. Infinitely safer than storing card  
numbers.

Americans certainly are strange with their SSNs. You give them out at  
the drop of a hat to buy popcorn, and then still use them as a  
'secure' form of identification.

Ari



On 08/02/2009, at 7:39 AM, Joe Baldwin wrote:

> I agree.  It is hardly worth the effort of storing a credit card  
> number for a customer if you can't run a transaction for the customer.
>
> Also, I think Michael and Chad convinced me to do Java-domain  
> encryption.  I think Chad said they had included the algorithms in  
> Java 6.  However, I am now caught up in another sysadmin problem  
> with OSX and Java 6.  (I can't get Java 6 to run yet).  Still  
> working on it.
>
> Joe
>
>
>
>
> On Feb 7, 2009, at 2:15 PM, Andrus Adamchik wrote:
>
>> One-way hashing works great for passwords (and is in fact THE way  
>> to store passwords in the DB). It doesn't work for anything else,  
>> as usually you do want to have access to the data you've encrypted.
>>
>> Andrus
>>
>> On Feb 7, 2009, at 8:50 PM, Dov Rosenberg wrote:
>>
>>> One of our customers who is big into security had a pretty good  
>>> idea. Their
>>> concern was that if the sensitive data could be decrypted it was  
>>> vulnerable
>>> and considered a security risk. They proposed using a one way  
>>> encryption
>>> algorithm and then only comparing the hash values of the sensitive  
>>> data -
>>> not the actual data itself. I am not certain which algorithm they  
>>> were
>>> talking about.
>>>
>>> Dov Rosenberg
>>>
>>>
>>> On 2/7/09 12:08 PM, "Michael Gentry" <mgentry@masslight.net> wrote:
>>>
>>>> Here it is:
>>>>
>>>> http://people.apache.org/~mgentry/Security_Manifesto.pdf
>>>>
>>>> Joe had a few questions off-the-list (about how to do a query on an
>>>> encrypted value) and I'll try to update it soon, but that's the
>>>> current version I have.
>>>>
>>>> Comments appreciated, as always.
>>>>
>>>> mrg
>>>
>>>
>>
>





-------------------------->
ish
http://www.ish.com.au
Level 1, 30 Wilson Street Newtown 2042 Australia
phone +61 2 9550 5001   fax +61 2 9550 4001
GPG fingerprint CBFB 84B4 738D 4E87 5E5C  5EFA EF6A 7D2E 3E49 102A



Mime
View raw message