[freeside-users] Encryption

Peter Bowen pbowen at corp.untd.com
Fri Mar 16 15:44:04 PDT 2007 

Steve,

Wiki says....

"5. Save and restart the web server - just in case."

:)  I just removed the "just in case."

The public and private keys are stored in the same place as other
configuration directives.  You don't have to have them both an all machines.
Just the public key is required.  However, you won't be able to bill now or
run a billing on a public only box.

We have a cluster.  Half of the cluster doesn't have access to the private
key.  Most employees do not have access to the boxes with the private key.
The private key boxes have additional network protection as well.

Be as paranoid as you want, but remember that boxes w/o the key can't bill
customers.  

If a hacker gets in, it's no longer just a select and go.  With encryption
turned on, he has to load up the modules, write a script to use the freeside
libs, and then get the info off the system.  Nothing is hacker proof, but
it's easier to go after much softer targets.

Employees are an entirely different problem...

-Peter



On 3/16/07 4:15 PM, "Steven Ball" <hamster at snurkle.net> wrote:

> 
> No worries, I'm glad I can 'help' with the wiki ;)
> 
> I double checked for lack of spaces and the like, and reduced the key
> length to 1024.
> 
> It seemed to work right after i submitted the config changes, but
> then the next time I edited or added a customer, I got the error again.
> 
> Just as a sanity check, I restarted the web server.  And what do you
> know, it seems to be working fine now.  Chalk this one up to an idiot
> user error :)
> 
> I just bumped it back to a 2048 bit key, -restarted the web server-,
> and all seems happy.
> 
> A question though, how is the public/private key stored?  Do you have
> any suggestions for protecting the private key from 'theft'?
> 
> Thanks again!
> 
> -Steve
> 
> On Mar 16, 2007, at 3:15 PM, Peter Bowen wrote:
> 
>> Steve,
>> 
>> I guess it's time for me to fess up... I wrote that code, but it
>> has been
>> two years since I did it.  We run encrypted, so I know it works. :)
>> But to
>> be fair, I may be the only one who is.
>> 
>> I fixed the Wiki - I must have written it at a point when I was
>> VERY tired.
>> Shame on everyone else for missing it. Shame on me for writing it...
>> 
>> It's really been two years since I've set this up... Try two things
>> for
>> me...
>> 
>> 1. Create another key.  When you paste it, be sure that there are
>> no extra
>> newlines or spaces at the beginning or end.  It should be more
>> robust than
>> that, but I'm not sure that it is...
>> 
>> 2. Try creating a shorter key. $length = 1024.
>> 
>> Let me know how it goes.
>> 
>> -Peter
>> 
>> 
>> On 3/16/07 2:44 PM, "Steven Ball" <hamster at snurkle.net> wrote:
>> 
>>> 
>>> Hello again,
>>> 
>>> Working on getting this system all working,  but I have run into
>>> another snag.
>>> 
>>> I am trying to get encryption of CC info working.  I tend to be
>>> paranoid about having this kind of data around, so I would sleep
>>> easier knowing it is at least somewhat protected :)
>>> 
>>> I followed the instructions in the Wiki in regards to setting up
>>> encryption using Crypt::OpenSSL::RSA
>>> 
>>> The first thing I note is that the code given to produce a public/
>>> private key seems to be the wrong way around:
>>> 
>>> print "Public:\n". $rsa->get_private_key_string();
>>> print "Private:\n". $rsa->get_public_key_string();
>>> 
>>> (ie, it prints 'Public' but then gives the private key, and vice
>>> versa, is this correct?)
>>> 
>>> The error I get is:
>>> 
>>> unrecognized key format at /usr/local/share/perl/5.8.8/FS/Record.pm
>>> line 2028
>>> 
>>> I tried swapping the public/private keys around, just for giggles,
>>> but that leads to:
>>> 
>>> Can't locate object method "new_public_key" via package
>>> "Crypt::OpenSSL::RSA" at /usr/local/share/perl/5.8.8/FS/Record.pm
>>> line 2028.
>>> 
>>> I have the module installed, via CPAN:
>>> 
>>> "Crypt::OpenSSL::RSA is up to date (0.24)."
>>> 
>>> I am running Freeside 1.7.2 on a Debian 'testing' box.
>>> 
>>> Any hints again?
>>> 
>>> Thanks!
>>> 
>>> -Steve
>>> 
>>> _______________________________________________
>>> freeside-users mailing list
>>> freeside-users at sisd.com
>>> http://420.am/cgi-bin/mailman/listinfo/freeside-users
>> 
>> _______________________________________________
>> freeside-users mailing list
>> freeside-users at sisd.com
>> http://420.am/cgi-bin/mailman/listinfo/freeside-users
> 
> _______________________________________________
> freeside-users mailing list
> freeside-users at sisd.com
> http://420.am/cgi-bin/mailman/listinfo/freeside-users

More information about the freeside-users mailing list