I agree. It is hardly worth the effort of storing a credit card
number for a customer if you can't run a transaction for the customer.
Also, I think Michael and Chad convinced me to do Java-domain
encryption. I think Chad said they had included the algorithms in
Java 6. However, I am now caught up in another sysadmin problem with
OSX and Java 6. (I can't get Java 6 to run yet). Still working on it.
Joe
On Feb 7, 2009, at 2:15 PM, Andrus Adamchik wrote:
> One-way hashing works great for passwords (and is in fact THE way to
> store passwords in the DB). It doesn't work for anything else, as
> usually you do want to have access to the data you've encrypted.
>
> Andrus
>
> On Feb 7, 2009, at 8:50 PM, Dov Rosenberg wrote:
>
>> One of our customers who is big into security had a pretty good
>> idea. Their
>> concern was that if the sensitive data could be decrypted it was
>> vulnerable
>> and considered a security risk. They proposed using a one way
>> encryption
>> algorithm and then only comparing the hash values of the sensitive
>> data -
>> not the actual data itself. I am not certain which algorithm they
>> were
>> talking about.
>>
>> Dov Rosenberg
>>
>>
>> On 2/7/09 12:08 PM, "Michael Gentry" <mgentr..asslight.net> wrote:
>>
>>> Here it is:
>>>
>>> http://people.apache.org/~mgentry/Security_Manifesto.pdf
>>>
>>> Joe had a few questions off-the-list (about how to do a query on an
>>> encrypted value) and I'll try to update it soon, but that's the
>>> current version I have.
>>>
>>> Comments appreciated, as always.
>>>
>>> mrg
>>
>>
>
This archive was generated by hypermail 2.0.0 : Sat Feb 07 2009 - 15:40:14 EST