Looking for Suggestions on Hash Key Creation

I'm building a CGI eCommerce store and I'm looking for ways to create
a decent 2 way encryption. Of course in a scripted language, I don't
want my key in the script itself, but would rather store it somewhere
obfuscated such as in a compiled C++ binary. (I know it doesn't help -
much-, but defense in layers)

A .NET programmer friend of mine uses a method that involves
generating a hash from the Volume ID of the hard drive to use as a
key. I like this approach, but am wary of hardware/software changes
that will break my key.

Am I going about this the correct way? Is there a better method for
creating a decently secure 2 way encryption using a scripted language?

Any help is very much appreciated. Thanks.

- James

jwwest <jwwest@gmail.com> writes:

> I'm building a CGI eCommerce store and I'm looking for ways to create
> a decent 2 way encryption. Of course in a scripted language, I don't
> want my key in the script itself, but would rather store it somewhere
> obfuscated such as in a compiled C++ binary. (I know it doesn't help -
> much-, but defense in layers)
>
> A .NET programmer friend of mine uses a method that involves
> generating a hash from the Volume ID of the hard drive to use as a
> key. I like this approach, but am wary of hardware/software changes
> that will break my key.
>
> Am I going about this the correct way? Is there a better method for
> creating a decently secure 2 way encryption using a scripted language?
>
> Any help is very much appreciated. Thanks.

The path to hell is paved with such intentions. :-)

You may get a lot of mileage out of the OWASP Guide to web
application security, specifically this chapter:
http://www.owasp.org/index.php/Cryptography

More generally
http://www.owasp.org/index.php/Guide_Table_of_Contents

Best Regards,
--
Todd H.
http://www.toddh.net/

jwwest wrote:
> I'm building a CGI eCommerce store and I'm looking for ways to create
> a decent 2 way encryption. Of course in a scripted language, I don't
> want my key in the script itself, but would rather store it somewhere
> obfuscated such as in a compiled C++ binary. (I know it doesn't help -
> much-, but defense in layers)
>
> A .NET programmer friend of mine uses a method that involves
> generating a hash from the Volume ID of the hard drive to use as a
> key. I like this approach, but am wary of hardware/software changes
> that will break my key.
>
> Am I going about this the correct way? Is there a better method for
> creating a decently secure 2 way encryption using a scripted language?
>
> Any help is very much appreciated. Thanks.
>
> - James



<http://www.cacr.math.uwaterloo.ca/hac/>

John

John Mason Jr <notvalid@cox.net.invalid> writes:

>jwwest wrote:
>> I'm building a CGI eCommerce store and I'm looking for ways to create
>> a decent 2 way encryption. Of course in a scripted language, I don't
>> want my key in the script itself, but would rather store it somewhere
>> obfuscated such as in a compiled C++ binary. (I know it doesn't help -
>> much-, but defense in layers)
>>
>> A .NET programmer friend of mine uses a method that involves
>> generating a hash from the Volume ID of the hard drive to use as a
>> key. I like this approach, but am wary of hardware/software changes
>> that will break my key.
>>
>> Am I going about this the correct way? Is there a better method for
>> creating a decently secure 2 way encryption using a scripted language?
>>
>> Any help is very much appreciated. Thanks.

Why are you trying to reinvent the wheel. Use ssh.
or ssl.

On 2008-03-25, jwwest <jwwest@gmail.com> wrote:
> I'm building a CGI eCommerce store and I'm looking for ways to create
> a decent 2 way encryption. Of course in a scripted language, I don't
> want my key in the script itself, but would rather store it somewhere
> obfuscated such as in a compiled C++ binary. (I know it doesn't help -
> much-, but defense in layers)
>
> A .NET programmer friend of mine uses a method that involves
> generating a hash from the Volume ID of the hard drive to use as a
> key. I like this approach, but am wary of hardware/software changes
> that will break my key.
>
> Am I going about this the correct way? Is there a better method for
> creating a decently secure 2 way encryption using a scripted language?
>
> Any help is very much appreciated. Thanks.
>
You don't. Do it in your server. SSL. HTTPS. Get yourself a
signed certificate. Anything is playing with fire.

--
Christopher Mattern

NOTICE
Thank you for noticing this new notice
Your noticing it has been noted
And will be reported to the authorities

> You don't. Do it in your server. SSL. HTTPS. Get yourself a
> signed certificate. Anything is playing with fire.

I'm looking at encrypting data in the database, not the session.