Would this be safe?
jschmid at uakron.edu
Tue Oct 21 19:34:43 CEST 2003
Well, I'm kind of new to cryptography and how to keep stuff 'safe',
so I thought I'd throw this out on the list to see if anyone would be
willing to critique a potential use I'm thinking of putting GPG to. In
a nutshell, I have a website that I want to have a form that users can
fill out (on an ssl-secured page) that would include personal
information (possibly credit card or other payment info). The company
I'm doing this for (a small family business) currently has a POS
credit-card terminal, and wants to just manually process orders instead
of doing it fully online, but we want to be able to allow people to
place orders online.
So, I thought that I could use GPG, on the webserver, to encrypt
the user data with a public key (for which the owner of the company will
have the corresponding private key to decrypt the info), end then email
the encrypted info as an attachment to the owner's email address. He
would then get his email once or twice a day, decrypt the info using GPG
and his private key, and process the order.
That's the basic outline. Specifically, here's what I had in mind.
The webpage/form would be proccessed by a PHP script. The script would
use the PHP proc_open() function to execute 'GPG -a -r owners_email
--encrypt'. The proc_open() command, for those not familiar with PHP,
forks, creates two pipes between the parent process (the script) and the
STDIN/STDOUT of the child process (for bi-directional communication
between the processes), then exec's the command that you specify as the
first argument to proc_open. I'm thinking this way I can send the
user-inputted data into GPG using the script's writeable pipe (GPG's
stdin), and receive back the encrypted data through the readable pipe
This will be running on a shared-host linux webserver (that is, we
pay like $20/mo or something to the hosting company to have a website,
and there are probably a couple hundred other users with sites on the
same server), setup so that the PHP script runs as the user for our
With the above setup, the user data is only unencrypted in-memory
(which I think should be fairly secure, yes?), and will only persist for
an extremely short period of time. Since I use pipes to send the data to
GPG, again it remains in memory (well, it might hit the virtual memory
page-cache, but I don't think that's worth worrying about is it?) then
gets encrypted and piped back to PHP, where I will email it (at which
point it should be safe to send it over the 'public' email system as it
is encrypted, right?). The public key will be stored in the keyring for
our account (and will be the only thing in the keyring), on the
webserver. I plan to have the keyring be 'unprotected' in terms of it
not having a passphrase on it, since the only thing in it is a public
key anyhow, and since I figure that even if I *did* passphrase it, that
gives me the problem of storing the passphrase somewhere on the server
for PHP to use, at which point it's basically just as unsecure as if the
keyring has no passphrase.
So, are there any problems with this setup?
I've also considered generating a key-pair for the server, so that the
server could sign the encrypted data, but as above, since the keyring
would not necessarily be secure (I could ensure that the keyring file
can only be read by our user on the system, but then if someone manages
to exploit one of my PHP scripts they could grab it potentially, anyhow,
since the PHP script runs as our user), I think that signing the form
data would just give a potentially false sense of security.
Thanks, and sorry for being so long-winded, but just trying to think
through all the security implications of the various things I need to do.
More information about the Gnupg-users