« | Home | Categories | »

How to secure a credit card number (Software Engineering Tips)

Posted on December 1st, 2009 at 8:19 by John Sinteur in category: Software -- Write a comment


 Storing card numbers in an unsearchable form is simple with the correct discipline: encrypt with an asymmetric cipher (PGP will do) and practice good key management. But these ciphers use a random session key every time they encrypt something, so it isn’t possible to search with a number by–say–encrypting the same number with the same cipher and key and searching your database for the binary output. 
 “Ah hah, but I’ll just hash the number!” you say, knowing that hashing algorithms like the SHA family are extremely preimage resistant–meaning you can’t take a hash value and run it in reverse to discover the original number. You can’t “un-bake a cake”, so to speak. 
 But credit card numbers are so small. They’re only 14 to 16 digits. If you merely hashed them then a hacker with a rainbow table would unlock your entire database in seconds.
 So you’ll salt them, right? You’ll salt the hash (concatenate the number with a unique word) and that will prevent the use of a rainbow table, right? Wrong again. 

  1. Thanks for sharing.

previous post: Gay-bashing woman humiliated for wearing hideous skirt

next post: The Nation’s Housing: Walking away from a mortgage