encryption?



Ivo already has a PGP module, would that work?

David=20

> -----Original Message-----
> From: Kent [mailto:[email protected]]=20
> Sent: Friday, March 11, 2005 2:52 AM
> To: Miva Merchant coders list
> Subject: [mrc] encryption?
>=20
> Hi folks --
>=20
> I have a client who's interested in a super-secure payment=20
> module: they=20
> want it to encrypt the data by DES or Triple-DES, and also=20
> send it by https=20
> POST. Is there a way for Miva modules to do DES? Does anyone have a=20
> module or script that can help with this?
>=20
> Thanks --
>=20
> Kent Multer | /| P.O.Box 701895,=20
> Dallas TX 75370
> Magic Metal Productions | / | (214) 570 8264 voice/fax
> | | [email protected]
> * Web developer/designer http://TheMagicM.com
> * E-commerce and Miva
> * Author, The Official Miva Web Scripting Book -- available on-line:
> =20
> <A HREF ="http://www.amazon.com/exec/obidos/ISBN=3D0966103211/magicmetalproducA">http://www.amazon.com/exec/obidos/ISBN=3D0966103211/magicmetalproducA</A>
>=20
>=20
>=20

encryption?




>Ivo already has a PGP module, would that work?

No, his module only does email. I need the encryption on data which is
sent to the payment server by MvCALL (POST).


> > I have a client who's interested in a super-secure payment module: they
> > want it to encrypt the data by DES or Triple-DES, and also
> > send it by https
> > POST. Is there a way for Miva modules to do DES? Does anyone have a
> > module or script that can help with this?
> >
> > Thanks --


Kent Multer | /| P.O.Box 701895, Dallas TX 75370
Magic Metal Productions | / | (214) 570 8264 voice/fax
| | [email protected]
* Web developer/designer http://TheMagicM.com
* E-commerce and Miva
* Author, The Official Miva Web Scripting Book -- available on-line:
<A HREF ="http://www.amazon.com/exec/obidos/ISBN=0966103211/magicmetalproducA">http://www.amazon.com/exec/obidos/ISBN=0966103211/magicmetalproducA</A>

encryption?



It would be unusual to see 3DES implemented at the
application layer due to the overhead of bring up and
tearing down the connection on a per-transaction basis;
3DES is normally handled at the network layer with a
persistent connection. I'd recommend establishing a
VPN connection between the web server and the payment
processor if they need that level of security, either
via hardware external to the box or with software on
the box, even OpenVPN free software, and then you'd
have SSL post over 3DES VPN. Although AES would be
preferable to 3DES but not all firewalls support AES.

David=20

> -----Original Message-----
> From: Kent [mailto:[email protected]]=20
> Sent: Friday, March 11, 2005 12:04 PM
> To: Miva Merchant coders list
> Subject: RE: [mrc] encryption?
>=20
>=20
> >Ivo already has a PGP module, would that work?
>=20
> No, his module only does email. I need the encryption on=20
> data which is=20
> sent to the payment server by MvCALL (POST).
>=20
>=20
> > > I have a client who's interested in a super-secure=20
> payment module: they
> > > want it to encrypt the data by DES or Triple-DES, and also
> > > send it by https
> > > POST. Is there a way for Miva modules to do DES? Does=20
> anyone have a
> > > module or script that can help with this?
> > >
> > > Thanks --
>=20
>=20
> Kent Multer | /| P.O.Box 701895,=20
> Dallas TX 75370
> Magic Metal Productions | / | (214) 570 8264 voice/fax
> | | [email protected]
> * Web developer/designer http://TheMagicM.com
> * E-commerce and Miva
> * Author, The Official Miva Web Scripting Book -- available on-line:
> =20
> <A HREF ="http://www.amazon.com/exec/obidos/ISBN=3D0966103211/magicmetalproducA">http://www.amazon.com/exec/obidos/ISBN=3D0966103211/magicmetalproducA</A>
>=20
>=20
>=20

encryption?



When you make post through SSL (https//: in MvCALL), the data _is_ already
sent encrypted. There is no need to encrypt it in advance manually.

This is the way the MmXML module works - it can post the orders to a remote
server both in secure and standard mode.

Ivo Truxa

| http://miva.truxoft.com
| Advanced Miva Merchant modules



-----Original Message-----
From: Kent



>Ivo already has a PGP module, would that work?

No, his module only does email. I need the encryption on data which is
sent to the payment server by MvCALL (POST).


> > I have a client who's interested in a super-secure payment module: they
> > want it to encrypt the data by DES or Triple-DES, and also
> > send it by https
> > POST. Is there a way for Miva modules to do DES? Does anyone have a
> > module or script that can help with this?
> >
> > Thanks --

encryption?



Ivo -- thanks for the information. I just checked out the MmXML
description on mivacentral.com. I would like to get some more details on
this; maybe you could please send them off-list?

I, too, was wondering why the client would want to encrypt their data
twice. Actually, it's 3 times, since they also want base64 encoding! I
think they're just trying to be the safest gateway on the planet ("We're
the best, we triple-encrypt your data!"). I don't know enough about
security issues myself to judge whether this is really a good idea. David
mentioned the overhead; and I suppose any one of these encryptions is
strong enough that a hacker would need a supercomputer to crack it. I
suppose that requiring two encryptions might be a safety measure, in case
the merchant or hoster accidentally leaves one of them disabled, or in case
someone steals some private keys?

Thanks for the advice -- Kent


>When you make post through SSL (https//: in MvCALL), the data _is_ already
>sent encrypted. There is no need to encrypt it in advance manually.
>
>This is the way the MmXML module works - it can post the orders to a remote
>server both in secure and standard mode.
>
>Ivo Truxa




Kent Multer | /| P.O.Box 701895, Dallas TX 75370
Magic Metal Productions | / | (214) 570 8264 voice/fax
| | [email protected]
* Web developer/designer http://TheMagicM.com
* E-commerce and Miva
* Author, The Official Miva Web Scripting Book -- available on-line:
<A HREF ="http://www.amazon.com/exec/obidos/ISBN=0966103211/magicmetalproducA">http://www.amazon.com/exec/obidos/ISBN=0966103211/magicmetalproducA</A>

encryption?



The reall hoot is that the client will then probably just empty his trash in
the trash bin outside his office...I think more indentify/CC thefts that
AMOUNT to loss, occur this way than through the internet.

-Bruce

> -----Original Message-----
> From: [email protected]
> [mailto:[email protected]] On Behalf Of Kent
> Sent: Friday, March 11, 2005 10:05 AM
> To: Ivo Truxa; 'Miva Merchant coders list'
> Subject: RE: [mrc] encryption?
>
> Ivo -- thanks for the information. I just checked out the
> MmXML description on mivacentral.com. I would like to get
> some more details on this; maybe you could please send them off-list?
>
> I, too, was wondering why the client would want to encrypt
> their data twice. Actually, it's 3 times, since they also
> want base64 encoding! I think they're just trying to be the
> safest gateway on the planet ("We're the best, we
> triple-encrypt your data!"). I don't know enough about
> security issues myself to judge whether this is really a good
> idea. David mentioned the overhead; and I suppose any one of
> these encryptions is strong enough that a hacker would need a
> supercomputer to crack it. I suppose that requiring two
> encryptions might be a safety measure, in case the merchant
> or hoster accidentally leaves one of them disabled, or in
> case someone steals some private keys?
>
> Thanks for the advice -- Kent
>
>
> >When you make post through SSL (https//: in MvCALL), the data _is_
> >already sent encrypted. There is no need to encrypt it in
> advance manually.
> >
> >This is the way the MmXML module works - it can post the orders to a
> >remote server both in secure and standard mode.
> >
> >Ivo Truxa
>
>
>
>
> Kent Multer | /| P.O.Box 701895,
> Dallas TX 75370
> Magic Metal Productions | / | (214) 570 8264 voice/fax
> | | [email protected]
> * Web developer/designer http://TheMagicM.com
> * E-commerce and Miva
> * Author, The Official Miva Web Scripting Book -- available on-line:
>
> <A HREF ="http://www.amazon.com/exec/obidos/ISBN=0966103211/magicmetalproducA">http://www.amazon.com/exec/obidos/ISBN=0966103211/magicmetalproducA</A>
>
>
>

encryption?



When sending data over SSL, the process is rather complicate, but simplified
- there is always, for each transfer, a new strong temporary key generated
and encrypted with asymmetric algorithm using the recipient's public key.
The temporary unencrypted key is then used for symmetric encryption of the
actual data. Unless the attacker is able to get hold of the recipient's
private key, the passphrase, and the IP address, he has no chance to decrypt
the data.

In contrary, base64 offers absolutely no security. It only converts binary
data into printable characters. Adding second encryption makes really little
sense, but you can of course do it - there is number of crypto functions
available in Miva Script. Just check them in the manual. However, if you do
not want to mimic the SSL, with its asymmetric functionality, what is not
trivial, you may need to use symmetric encryption, storing the encryption
keys on both sides - what makes the encryption rather insecure.

As for MmXML - just tell me what information you are looking for and I send
it over.

Ivo Truxa

| http://miva.truxoft.com
| Advanced Miva Merchant modules




-----Original Message-----
From: Kent


Ivo -- thanks for the information. I just checked out the MmXML
description on mivacentral.com. I would like to get some more details on
this; maybe you could please send them off-list?

I, too, was wondering why the client would want to encrypt their data
twice. Actually, it's 3 times, since they also want base64 encoding! I
think they're just trying to be the safest gateway on the planet ("We're
the best, we triple-encrypt your data!"). I don't know enough about
security issues myself to judge whether this is really a good idea. David
mentioned the overhead; and I suppose any one of these encryptions is
strong enough that a hacker would need a supercomputer to crack it. I
suppose that requiring two encryptions might be a safety measure, in case
the merchant or hoster accidentally leaves one of them disabled, or in case
someone steals some private keys?

Thanks for the advice -- Kent


>When you make post through SSL (https//: in MvCALL), the data _is_ already
>sent encrypted. There is no need to encrypt it in advance manually.
>
>This is the way the MmXML module works - it can post the orders to a remote
>server both in secure and standard mode.
>
>Ivo Truxa




Kent Multer | /| P.O.Box 701895, Dallas TX 75370
Magic Metal Productions | / | (214) 570 8264 voice/fax
| | [email protected]
* Web developer/designer http://TheMagicM.com
* E-commerce and Miva
* Author, The Official Miva Web Scripting Book -- available on-line:
<A HREF ="http://www.amazon.com/exec/obidos/ISBN=0966103211/magicmetalproducA">http://www.amazon.com/exec/obidos/ISBN=0966103211/magicmetalproducA</A>