NYCPHP Meetup

[Jim Hendricks]

> Encrypting on the client machine is best done with SSL?
Yes.  The only other success I have had is using a JavaScript to
encrypt the pw & place in the pw field.  The problem with this is ...
JavaScript.

> These are great distinctions, thanks.
Your welcome.

> Whew, at least some of that was over my head at this point, but it
> gives me something to chew on!
Let me make it simpler through example.

Credit Cards many times need to be stored, but the User gets a warm fuzzy
if they know that their card data is encrypted in a way that can only be
accessed
by them.  If on creating the user I generate a random alphanumeric string, I
can
use this string to encrypt the credit card data.  The only problem is how do
I
store the random string in a way that can only be used by the user
associated with
the card?  That is why I post pend it onto the users password prior to
encrypting
the password.  Since only the user should have their password, only the user
can decrypt the random string key, and therefore only the user can decrypt
their
credit card data.  In reality, you can achieve the same thing if you use the
users password, preferably in plaintext as the key to encrypting data like
CC's,
but the random generated string adds an extra layer of protection.  If you
were to
use the ciphertext version of the password( ie. what is saved in your user
table )
the CC data can be decrypted via a scan of the users, decrypting the cc data
with
each users ciphertext password until the CC data decrypts to something that
makes
sense.

The Random characters I prepend to the password before encryption and
storage is
due to the encryption (RC4).  RC4 generates the same ciphertext given the
same
plaintext/key.  If I have 2 users with the password 'password', even though
I am post
pending the randomly generated string to use as a personal key, the 1st 8
characters
of my plaintext will be the same and will therefore generate the same 1st 8
characters
of ciphertext.  If I know that the 1st 3 characters are random in the
plaintext, I can
be reasonably assured that there will be no discernable patterns in the
stored ciphertext.

Finally, my choice of RC4 is due to it's simplicity in implementing yourself
while providing
a reasonable amount of security.  Many languages now also have RC4 built in.
I don't
know if PHP does since I had RC4 already written in VBScript so it was an
easy port to
PHP and I still use my own implementation.