How secure is encryption?

Question

Let me preface this by saying I know nothing about encryption. I understand the basic concept of public key / private key encryption but I don't how easily it can be broken, if at all. If one were to believe the movies, encrypted data can be broken by a teenager with a decent computer in a few hours.

I have a client who wants credit card information sent via email - encrypted of course, but I'm still not feeling terribly good about the idea. I feel it would be safer to store the info on the VPS, but even then its an unmanaged server and there's nobody watching it who knows much about security.

So can anyone tell me if there's a safe way to store and/or send this data out?

Thanks

Answer 1

As the other users have stated, it is generally not the encryption that gets broken, but rather the key gets stolen. If I were in your position and was 'forced' to send credit card information over email, but I could encrypt it, I would encrypt my message using AES-128 in CBC mode and PKCS5 Padding (In this instance, I doubt that you really need to worry about an initialization vector, but adding one can only help), and give the person whom needs to be met with the key on a piece of paper in person. It is someone stealing the key that is the issue, not the standard of encryption being broken.

Lets imagine that the words greatest supercomputer is solely dedicated to breaking your AES-128 CBC mode encryption, which can run at 93014* 1^12 flops/second . (1 flop is approximately 1 operation) Lets say that one AES decryption attempt takes 1000 flops (A large underestimate I think) It would take the super computer 2^127 attempts on average to break the key and thus the encryption.

It would thus take: (1000*2^127 flops)/(93014* 1^12 flops/s) seconds on average to crack, which is equal to: 1.829199728×10²⁴ seconds, which is equal to ~5.8×10¹⁶ years to crack! That is well over a million million years! As you can see, your key being stolen is the real concern, not the encryption being cracked if you use a good algorithm and proper key generation.

Answer 2

Security is relative. It depends how long it needs to be secure and who your adversary is. In practical terms, PGP encryption should be enough if you have to use email. See the EnigMail guide.

You need to be careful not to store the data unencrypted anywhere along the chain. Also, I don't know if this complies with the payment processing rules.

Answer 3

It's not practical to break a decent encryption scheme. It is much more likely that someone will get a copy of the keys. Public key has the advantage that the decryption key doesn't have to be on the server at all... can't compromise it at that end if it is never there.

However... this is credit card data. There are legally enforceable standards for how you should handle that data, so you really better look up what they say. The standards mandate certain kinds of encryption, as well as various other security practices.

Answer 4

This question and its responses should give you a good idea. Bottom line: it's people leaving the keys on the counter that's the weak link in most encryption systems.