Encrypting credit card numbers?

[el_roachmeister]

I have figured out how to encrypt cc' numbers using Perl's
Crypt::Blowfish module. I am trying to I convert the enrypted numbers
into text that can be copy/pasted into a web form.

I was able to use "unpack" to convert the encrypted number into text.
Now I can not figure out how to "pack" the unpacked number into the
same encrypted number?! My code is posted below, which produces this
output:

-shell-2.05b$ perl -t crypt
Original number is: 4242123456789012-March/11-2002
Unpacked number is:
6f162930ad78725a6f162930ad78725a6f162930ad78725a6f162930ad78725a
Decrypted number is: 4242123456789012-March/11-2002
o)0­xrZo)0­xrZo)0­xrZo)0­xrZ
8º#~äS3@Bé
08¡8º#~äS3@Bé
08¡8º#~äS3@Bé
08¡8º#~äS3@Bé
08¡

#############################################################

#!/usr/bin/perl -Tw

use strict;
use warnings;
use diagnostics;

use Crypt::Blowfish;

###########################################

my $key = pack("H16", "0123456789ABCDEF"); # min. 8 bytes

our $BLOCKSIZE = 8;

my $cc_number ='4242123456789012-March/11-2002'; # yes this is made up

my ( $encrypted, $unpacked)= &encrypt ($key, $cc_number);
my $decrypted = &decrypt ($key, $encrypted);

print "Original number is: $cc_number\n";
print "Unpacked number is: $unpacked\n" ;
print "Decrypted number is: $decrypted\n";

my $packed_from_unpack = &pack_number($unpacked);
my $decrypted_from_packed = &decrypt ($key, $packed_from_unpack);

print $packed_from_unpack . "\n";
print $decrypted_from_packed . "\n";

#############################################

sub encrypt {

my ($key,$dat) = @_;
my $encrypted = '';
my $unpacked = '';
my $cipher = new Crypt::Blowfish $key;

if ($BLOCKSIZE > 0) {
my $l_dat = length($dat);
for (my $i=0; $i < $l_dat;$i+=$BLOCKSIZE) {
my $tmp = substr($dat,$i,$BLOCKSIZE);
my $tmp2 = sprintf("%-" . $BLOCKSIZE . "s",$tmp); #pad with spaces
$encrypted .= $cipher->encrypt($tmp2);
$unpacked .= unpack ("H16", $encrypted);

}
}
else {
$encrypted .= $cipher->encrypt($dat);
$unpacked .= unpack ("H16", $encrypted);

}
return $encrypted, $unpacked;

}

sub decrypt {

my ($key,$dat) = @_;
my $dec = '';
my $cipher = new Crypt::Blowfish $key;

if ($BLOCKSIZE > 0) {
my $l_dat = length($dat);
for (my $i=0; $i < $l_dat;$i+=$BLOCKSIZE) {
my $tmp = substr($dat,$i,$BLOCKSIZE);
$dec .= $cipher->decrypt($tmp);
}
}
else {
$dec .= $cipher->decrypt($dat);
}
$dec =~ s/\s+$//; #remove trailing spaces
return $dec;
}

sub pack_number {

my $dat = $_[0];
my $packed='';
my ($tmp, $tmp2);

if ($BLOCKSIZE > 0) {
my $l_dat = length($dat);
for (my $i=0; $i < $l_dat;$i+=$BLOCKSIZE) {
$tmp = substr($dat,$i,$BLOCKSIZE);
$tmp2 = sprintf("%-" . $BLOCKSIZE . "s",$tmp); #pad with spaces
$packed .= pack ("H16", $tmp2);

}
}
else {
$packed .= pack ("H16", $tmp2);

}

return $packed;

}

1;

 

[Gregory Toomey]

I have figured out how to encrypt cc' numbers using Perl's
Crypt::Blowfish module. I am trying to I convert the enrypted numbers
into text that can be copy/pasted into a web form.

I was able to use "unpack" to convert the encrypted number into text.
Now I can not figure out how to "pack" the unpacked number into the
same encrypted number?! My code is posted below, which produces this
output:

I though blowfish & RC4 were symmetric cyphers.

I assume you are storing this information in a relational database.
I would NOT convert to hex, or even use an obvious field name.

gtoomey

 

[el_roachmeister]

ok, i figured it out, I had to change these two lines:

$encrypted .= $cipher->encrypt($tmp2);
$unpacked .= unpack ("H16", $encrypted);

to:

$encrypted .= $cipher->encrypt($tmp2);
my $encrypted_temp = $cipher->encrypt($tmp2);
$unpacked .= unpack ("H16", $encrypted_temp);

The corrected code is pasted below for anyone who may find it useful:

#!/usr/bin/perl -Tw

use strict;
use warnings;
use diagnostics;

use Crypt::Blowfish;

###########################################

my $key = pack("H16", "0123456789ABCDEF"); # min. 8 bytes

our $BLOCKSIZE = 8;

my $cc_number ='4242123456789012-12-15/1984 Jack Sutton'; # yes this is
made up

my ( $encrypted, $unpacked)= &encrypt ($key, $cc_number);
my $decrypted = &decrypt ($key, $encrypted);

print "Original number is: $cc_number\n";
print "Unpacked number is: $unpacked\n" ;
print "Decrypted number is: $decrypted\n";

my $packed_from_unpack = &pack_number($unpacked);

my $decrypted_from_packed = &decrypt ($key, $packed_from_unpack);

print "Decrypted from packed: $decrypted_from_packed" . "\n";

#############################################

sub encrypt {

my ($key,$dat) = @_;
my $encrypted = '';
my $unpacked = '';
my $cipher = new Crypt::Blowfish $key;

if ($BLOCKSIZE > 0) {
my $l_dat = length($dat);
for (my $i=0; $i < $l_dat;$i+=$BLOCKSIZE) {
my $tmp = substr($dat,$i,$BLOCKSIZE);
my $tmp2 = sprintf("%-" . $BLOCKSIZE . "s",$tmp); #pad with spaces
if string not long enough
$encrypted .= $cipher->encrypt($tmp2);
my $encrypted_temp = $cipher->encrypt($tmp2);
$unpacked .= unpack ("H16", $encrypted_temp);

}
}
else {
$encrypted .= $cipher->encrypt($dat);
$unpacked .= unpack ("H16", $encrypted);

}
return $encrypted, $unpacked;
}

sub decrypt {

my ($key,$dat) = @_;
my $dec = '';
my $cipher = new Crypt::Blowfish $key;

if ($BLOCKSIZE > 0) {
my $l_dat = length($dat);
for (my $i=0; $i < $l_dat;$i+=$BLOCKSIZE) {
my $tmp = substr($dat,$i,$BLOCKSIZE);
$dec .= $cipher->decrypt($tmp);
}
}
else {
$dec .= $cipher->decrypt($dat);
}
$dec =~ s/\s+$//; #remove trailing spaces
return $dec;
}

sub pack_number {

my $dat = $_[0];
my $packed='';
my ($tmp, $tmp2);

if ($BLOCKSIZE > 0) {
my $l_dat = length($dat);
for (my $i=0; $i < $l_dat;$i+=$BLOCKSIZE) {
$tmp = substr($dat,$i,$BLOCKSIZE);
$tmp2 = sprintf("%-" . $BLOCKSIZE . "s",$tmp); #pad with spaces if
string not long enough
$packed .= pack ("H8", $tmp2);

}
}
else {
$packed .= pack ("H16", $tmp2);

}

return $packed;

}

1;

 

[el_roachmeister]

blowfish is a symmetric cipher. I do not plan to store the key on the
server. The key will only be know to a few people. Those people will
simply type their key and Hex encrypted number into a web form and the
perl script will decrypt the Hex number into a plain text credit card
number. This will all be done with SSL.

Keep in mind this is all being done for some receptionists who are not
the most computer literate. So the key would be something they can
remember. They type it in once in the morning and then I'll use cookies
to store it on their computer for 1-day expiry.

Please criticize away! I am open to any suggestions, particularly if
what I am doing is big no no for security.