Would this be safe?

Jeff Schmidt jschmid at uakron.edu
Tue Oct 21 19:34:43 CEST 2003

    Well, I'm kind of new to cryptography and how to keep stuff 'safe', 
so I thought I'd throw this out on the list to see if anyone would be 
willing to critique a potential use I'm thinking of putting GPG to.  In 
a nutshell, I have a website that I want to have a form that users can 
fill out (on an ssl-secured page) that would include personal 
information (possibly credit card or other payment info).  The company 
I'm doing this for (a small family business) currently has a POS 
credit-card terminal, and wants to just manually process orders instead 
of doing it fully online, but we want to be able to allow people to 
place orders online.

     So, I thought that I could use GPG, on the webserver, to encrypt 
the user data with a public key (for which the owner of the company will 
have the corresponding private key to decrypt the info), end then email 
the encrypted info as an attachment to the owner's email address. He 
would then get his email once or twice a day, decrypt the info using GPG 
and his private key, and process the order.

     That's the basic outline. Specifically, here's what I had in mind. 
The webpage/form would be proccessed by a PHP script. The script would 
use the PHP proc_open() function to execute 'GPG -a -r owners_email 
--encrypt'. The proc_open() command, for those not familiar with PHP, 
forks, creates two pipes between the parent process (the script) and the 
STDIN/STDOUT of the child process (for bi-directional communication 
between the processes), then exec's the command that you specify as the 
first argument to proc_open. I'm thinking this way I can send the 
user-inputted data into GPG using the script's writeable pipe (GPG's 
stdin), and receive back the encrypted data through the readable pipe 
(GPG's stdout).

     This will be running on a shared-host linux webserver (that is, we 
pay like $20/mo or something to the hosting company to have a website, 
and there are probably a couple hundred other users with sites on the 
same server), setup so that the PHP script runs as the user for our 
webhost account.

    With the above setup, the user data is only unencrypted in-memory 
(which I think should be fairly secure, yes?), and will only persist for 
an extremely short period of time. Since I use pipes to send the data to 
GPG, again it remains in memory (well, it might hit the virtual memory 
page-cache, but I don't think that's worth worrying about is it?) then 
gets encrypted and piped back to PHP, where I will email it (at which 
point it should be safe to send it over the 'public' email system as it 
is encrypted, right?). The public key will be stored in the keyring for 
our account (and will be the only thing in the keyring), on the 
webserver. I plan to have the keyring be 'unprotected' in terms of it 
not having a passphrase on it, since the only thing in it is a public 
key anyhow, and since I figure that even if I *did* passphrase it, that 
gives me the problem of storing the passphrase somewhere on the server 
for PHP to use, at which point it's basically just as unsecure as if the 
keyring has no passphrase.

So, are there any problems with this setup?

I've also considered generating a key-pair for the server, so that the 
server could sign the encrypted data, but as above, since the keyring 
would not necessarily be secure (I could ensure that the keyring file 
can only be read by our user on the system, but then if someone manages 
to exploit one of my PHP scripts they could grab it potentially, anyhow, 
since the PHP script runs as our user), I think that signing the form 
data would just give a potentially false sense of security.

Thanks, and sorry for being so long-winded, but just trying to think 
through all the security implications of the various things I need to do.

Jeff Schmidt

More information about the Gnupg-users mailing list