I am trying to make it so that on my project a user who enters a credit
card number will have that information encrypted. I am not, however,
very familiar with data encryption and public and private keys, so I am
not sure on how this data will be stores, whether it will be data stored
on the server in a table or whether it will be stored elsewhere, such as
the users computer? I was just wondering, 1) does ruby support data
encryption for public and private keys and could someone point me to
some good references, and 2) are there any good references out there for
how this all works. I understand the concept of public and private keys,
just not how the encrption part is working if you need to store data on
the users machine, as far as private keys. Or, if someone has done
encryption for sensitive data user other methods I would like to hear
about those too. Thanks for any and all help,
I am trying to make it so that on my project a user who enters a credit
card number will have that information encrypted. I am not, however,
very familiar with data encryption and public and private keys, so I am
not sure on how this data will be stores, whether it will be data stored
on the server in a table or whether it will be stored elsewhere, such as
the users computer?
How it get’s stored is ou to your application. There are really at
least two security aspects here:
How to let the user send sensitive information to the server
without risking third parties from getting that information as
it passes over the ‘internets’. The answer here is https which is the
encrypted form of http. Public key encryption is used to encrypt the
http traffic between client and server. The Net::Https in the standard
ruby library supports this. There’s a brief discussion of how to use
https with rails in AWDWR 2nd ed starting on page 612.
How to secure such sensitive data on the server. IANAL, but I
believe that there are potential legal liabilities if you store CC
information and it gets compromised. One approach is not to sore the
data, but pass it off to a CC processing service such as PayPal,
Amazon FPS (when it goes production), or the like. If you want to
store it then you should consider storing it in encrypted
form on a server. It’s not well documented but I ruby ssl/https code
supports internal encryption/decryption, see: http://blog.leetsoft.com/2006/03/14/simple-encryption. As this post
points out, you still need to be concerned about compromise of
the private key protecting this data. For real security, best practice
is to store the data on a separate server behind a firewall which
keeps the private key, and have the internet facing server communicate
with this server using it’s ‘public’ key over an intranet or VPS.
I was just wondering, 1) does ruby support data
encryption for public and private keys and could someone point me to
some good references, and 2) are there any good references out there for
how this all works. I understand the concept of public and private keys,
just not how the encrption part is working if you need to store data on
the users machine, as far as private keys. Or, if someone has done
encryption for sensitive data user other methods I would like to hear
about those too. Thanks for any and all help,
For general enlightenment on public/private key usage, you might try
googling for pgp (or “Pretty good privacy”) which should give you what
you are looking for.
This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.