Improved verification of messages

Werner Koch
Wed, 13 Sep 2000 14:12:33 +0200

----- Forwarded message from - <> -----

Subject: Re: Improved verification of messages
To: Werner Koch <>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii

Thanks for the feedback everyone. A bit of extra
background info - the shopping cart script would be
running with the SUID bit set, and would therefore be
running under my user ID. Also all of my files on the
server would have NO permissions for group and world,
so no other user (apart from root) should be able to
read the cart script, the keyring files nor any other
files in my area of the server.

Yes, if a hacker got access to the server AND got to
run as root or as MY user id, then they would be able
to read the shopping cart script AND would be able to
copy the keyring files.

This would mean that they would also have access to
the private key which a couple of you suggested the
cart should use to sign the order. In that case I
don't think that adding the extra secret key and
signing procedure to the server would help that much,
apart from introducing a small increase in complexity
- but anyone studying the script would see the command
that signed and encrypted the order message.

As I see it, the most important thing is that if
someone submits a 'proper' order via the shopping cart
(and SSL), then their credit card details will be
immediately encrypted, will NOT be stored on the
server and can ONLY be decrypted locally by me. Even
if a hacker got to view the cart script and the
keyring files they would still not be able to decrypt
any of the REAL order emails (assuming they were able
to intercept them) because they don't have my private
key - is this correct?

But by studying the cart script and the keyring files
they WOULD be able to assemble a fake signed and
encrypted order email. But this wouldn't help them
much because if they were using say a stolen credit
card number, they could just as easily have submitted
this via the 'proper' cart order form on the web site
instead. We can still perform a series of manual
checks to the details when we receive the order email
to reduce the possibility of credit card fraud - we
would be doing this anyway for a telephone or faxed

I was just looking for an additional safety check
which would give us better trust that the email really
HAD come from the cart script. From your replies I see
that I can get the script to additionally sign the
encrypted order, but if someone gets to read the
keyring files on the server they will be able to fake
the signing too, so it doesn't seem to help that much.

That's how I see it, but I am not an expert in
security or GnuPG, so if you see any problems with
this or have any suggestions as to how I can improve
security, please do let me know!

> Use the payment options as authentication.
Do you mean the payment gateways such as NetBanx? If so, then this won't really work for us. We sell a lot of unique and one-off items and we need to be sure that two people have not ordered the same thing at the same time, or that someone in our *real* shop bought an item before we next checked our email. We can't allow a credit card to get immediately debited the moment an online order is placed. Thanks Colin __________________________________________________ Do You Yahoo!? Yahoo! Mail - Free email you can access from anywhere! ----- End forwarded message ----- -- Werner Koch GnuPG key: 621CC013 OpenIT GmbH -- Archive is at - Unsubscribe by sending mail with a subject of "unsubscribe" to