amuck-landowner

Related to Encryption

Hxxx

Active Member
Hi,

I was looking at the forum and found the post of @SrsX in relation to a WHMCS encryption module, it was closed so I was unable to comment.

My question is: Why nobody in the industry had implemented an encryption method in their software, to encrypt-> for example the billing data, but without really storing the main key?

->They could use mcrypt with AES 256 CBC, store the encrypted data along with the IV, then upon the need of decryption , ask for the key to complete the process. 

Am I missing something? Why they prefer to store the key?

Maybe because they don't trust their admins and support? If you don't trust your guys? Anyways most of them have root access... That should not be the issue.

Maybe is because of laziness?Asking the key after joining a session , once per session should solve the issue...

What you think? 
 

wlanboy

Content Contributer
It is the easiest way to handle it.

Use a well known crypt lib and handle the key managment yourself.

And the key has to be stored somewhere.
 

yolo

New Member
I know the password manager I use (passpack) has this implemented. You have to login to your account first with a general username and password. Then to see the data you have to enter your Packing Key which then decrypts the file and whala you have yourself your passwords. If you forget your Packing Key you are SOL and can't get your stuff back. I believe they call it Host-Proof Hosting. Here is their code: https://code.google.com/p/passpack/
 
Last edited by a moderator:

KuJoe

Well-Known Member
Verified Provider
If you need to enter the key each time then how do you automate things such as billing, suspension, activation, termination, e-mails, etc... ?
 

Hxxx

Active Member
@KuJoe I think that he was referring to pass the key using GET, bookmarking the url should automate. 

I dont like it... I mean the thing is  to NOT store the key. Inputting the key for each new session should not be too much work. Usually you login and work at the current session for hours if not days. 
 

drmike

100% Tier-1 Gogent
In theory, something secure would work like this....

Key offsite on terminal of admin.

Some programmatic access to that remote info via browser.

Key umm version crypted in RAM only.

Hazard here is the server reboots/restarts loses key and requires rekeying.

Alternatively, key accomplished via external device like we use to do on USB physically on server.

There has to be multiple layers going on here, not just one thing will cut it.
 

willie

Active Member
->They could use mcrypt with AES 256 CBC, store the encrypted data along with the IV, then upon the need of decryption , ask for the key to complete the process.

Encrypting with a separate key from the decryption key is called "public key cryptography" (RSA, etc; not AES) and it's a reasonable solution for this situation, though you end up using more cpu and storage (not by enough to matter) and it's in some ways more complicated.  You'd do the decryption (for payment processing or whatever) on a separate computer that's (at minimum) more isolated from the internet than the one customers and attackers see.

What I want to know though is why anyone is storing reusable payment credentials (cc#'s etc) in whmcs anyway.  Usually you get an opaque token from the payment gateway and use that when you invoice.  If the token gets stolen the attacker can't use it to send money to himself or to access customer cc#'s.  He can only issue invoices through the payment provider, which doesn't help him and which have a hold period.
 
Last edited by a moderator:

SrsX

Banned
.. why do I have so much trouble shaking the impression that you're curtisg with a new alias?
Firstly, I'm not. If you want I can scan my ID into my computer and personally message it to you, to prove I am whom I claim to be.
 

Aldryic C'boas

The Pony
You have nothing to prove to me, just making an observation.  I don't recall you claiming to be anybody, really.  Simply making a comment on noticed similarities.

Although, bit of advice... when you offer to scan and send your ID to someone you've never met and have no clue who they are.. "Security Researcher" falls a bit flat.
 

SrsX

Banned
You have nothing to prove to me, just making an observation.  I don't recall you claiming to be anybody, really.  Simply making a comment on noticed similarities.

Although, bit of advice... when you offer to scan and send your ID to someone you've never met and have no clue who they are.. "Security Researcher" falls a bit flat.
Who said I was not going to censor parts of it...
 

Aldryic C'boas

The Pony
Too late to back-pedal.  Censoring an ID is worthless - you either have to obscure too much information and invalidate it as 'proof', or too little and defeat the purpose.

Besides, censoring is irrelevant.  ANYONE invested in the concept of security would not scan their identification and release it online to some random bloke on a forum.  Period.

Your reactions, speech patterns, and grammatical inclination told me what I need to know.  Let's just leave it with you say that you're not curtisg, and move on before this derails further.
 

texteditor

Premium Buffalo-based Hosting
Hi I'm texteditor I'm also a security researcher and a grown-up (not a kid!), my fave security to research is Hackforums and l33t script kiddie fights wats ur fave security topics?

James Z.

CEO & Lead Security Researchist @ LMA0Sec
 

SrsX

Banned
Hi I'm texteditor I'm also a security researcher and a grown-up (not a kid!), my fave security to research is Hackforums and l33t script kiddie fights wats ur fave security topics?

James Z.

CEO & Lead Security Researchist @ LMA0Sec
OK, congratulations.
 
Top
amuck-landowner