Best encryption technique

Greetings,

I have a requirement of storing some .xml files on a web server.
The files will contain financial information like credit card numbers,
so I would like to encrypt them.

The files will stay there until another program downloads them and
deletes the files.

My question is - which of the functions in the mcrypt library provide
the best encryption for files?
The files will be relatively small - between 2KB - 30KB.

I would like the strongest possible encryption because some pretty good
hackers may attempt to get at these files if someone figures out that
there are credit card numbers out there.

Another question - how should the encryption/decryption key be shared
between the two programs?
Is it secure enough if the .php script contains a single static key on
both the ends - or is there a better way to share the key?

Thanks,
Harold

Harold Crump wrote:
> Another question - how should the encryption/decryption key be shared
> between the two programs?
> Is it secure enough if the .php script contains a single static key on
> both the ends - or is there a better way to share the key?

May want to place the key in a separate file. After all, it's data, not
code, and tgus makes it easier to change the key as required.

Also, I'm very much hoping you have an asymmetric cipher in mind here
(public-key cryptography). You might as well not bother with encryption
at all if you will be leaving the decryption key on the server.

I'd go for AES-128 for bulk encrypting each file with a random key, and
RSA-2048 for encrypting the symmetric keys.
Never used mcrypt, or done crypto at all using php, but any decent suite
should support those ciphers.


Your whole approach sounds a tad awkward, though. Why store credit card
info on a web server in the first place, especially if it's ment to end
up somewhere else..? You know best, though. Best of luck.

>
> Thanks,
> Harold
>

Frank,

Frank wrote:
> Also, I'm very much hoping you have an asymmetric cipher in mind here

> (public-key cryptography). You might as well not bother with
encryption
> at all if you will be leaving the decryption key on the server.

That's my worry as well !
Can you briefly describe how the public-key approach should work,
especially if a random key is used as you suggested.

The entire approach is supposed to be asynchronous and the two
applications (the one that dumps the files, and the other that reads
them) are not "aware" of each other.

> I'd go for AES-128 for bulk encrypting each file with a random key,
and
> RSA-2048 for encrypting the symmetric keys.

How about using 3DES (triple DES) - it is supported by mcrypt.
It is 192-bit encryption.
Is that any good?

Can you explain what you meant by symmetric keys and asymmetric keys?

> Your whole approach sounds a tad awkward, though. Why store credit
card
> info on a web server in the first place, especially if it's ment to
end
> up somewhere else..?

I know !! But there is no other way to integrate these two apps that we
could find, and the customer is aware of the security risk involved.
We are going to try and setup an HTTPS channel between the two app so
that the file transfer can be more secure.

Thanks again,
Harold

Harold Crump wrote:
> Frank,
>
> Frank wrote:
>
>>Also, I'm very much hoping you have an asymmetric cipher
>>in mind here (public-key cryptography). You might as well
>>not bother with encryption at all if you will be leaving
>>the decryption key on the server.

> That's my worry as well !
> Can you briefly describe how the public-key approach should work,
> especially if a random key is used as you suggested.
*copy & paste*
> Can you explain what you meant by symmetric keys and asymmetric keys?

Asymmetric ciphers work with two keys, one for encryption and a
different one for decryption. You'll obviously only be storing the
encryption key on your web server.

Problem is, public-key algorithms aren't very efficient, so you use a
different algorithm for encrypting the content, then encrypt that key
using public-key crypto and store it along with the encrypted data somehow.

>>I'd go for AES-128 for bulk encrypting each file with a random key,
>>and RSA-2048 for encrypting the symmetric keys.
>
> How about using 3DES (triple DES) - it is supported by mcrypt.
> It is 192-bit encryption.
> Is that any good?

I'm no crypto guru, so best do a little research yourself here.

I did look up mcrypt just now, and it seems to have support for
Rijndael, which is another name for the AES algorithm. If your library
version doesn't have Rijndael-128, I'd go with Blowfish over 3DES, which
AFAIK is very broken.

Couldn't find anything solid on publick key ciphers for php in what
little time I spent googling, though.

Good luck.

"Harold Crump" <orientletter@yahoo.com> wrote in message
news:1113934264.173524.115820@o13g2000cwo.googlegr oups.com...
> Greetings,
>
> I have a requirement of storing some .xml files on a web server.
> The files will contain financial information like credit card numbers,
> so I would like to encrypt them.

I wonder how worthwhile encryption is in this case. If a hacker manages to
hack into your server, then he could easily modify your PHP script so that
the file is encrypted with a known key instead of a random one.

You time could be better spent improving the security of the server,
methinks.