Hashing

  • Thread starter Thread starter Andrew Robinson
  • Start date Start date
A

Andrew Robinson

I am working on a pretty simple e-commerce web site that will sell our
company gift cards online. Our company and merchant policy prohibits us from
storing credit card numbers in any way once we clear the transaction using
Pay Flow. To help protect against fraud, I would like to know when the same
card number is used to make more than one purchase in a given period of
time.

Would hashing card numbers and then storing and comparing hashes work? Does
it still adhere to our company policy?

What would work better creditCard.ToHash() or using one of the SHA managed
providers?

-Andy
 
Andrew said:
Would hashing card numbers and then storing and comparing hashes work? Does
it still adhere to our company policy?
Click to expand...

I´m not a security-expert, but I guess it would work. You only have to
be sure that you do not use any bad algorithm which allows re-hashing.

What you maybe can do... Create a public/private key-pair and delete the
private key.

Then you use the public key for hashing.

I´m not very sure but this should work. Try it out!


Regards,

Martin
 
IMO that should be OK (not a "legal" opinion ;-p). Soundss pretty normal.

Whenever storing a hash in a persistent system, you should use a known
algorithm, such as SHA, MD5, etc. The CLR GetHashCode() are liable to change
between runtime versions, which would break your system. For instance,
string.GetHashCode() is very different between 1.1 and 2.0.

Marc
 
Hi,
Would hashing card numbers and then storing and comparing hashes work?
Does it still adhere to our company policy?
Click to expand...

Well it depends of what your policy says, IMO (IANAL ) it should be ok as
you can not regenerate the CC# from the hash
What would work better creditCard.ToHash() or using one of the SHA managed
providers?
Click to expand...

I will go with something like SHA or MD5 just cause it's standard, later on
if you need to explain yourself you can say you use industry standard ( SHA,
etc ) to generate the hash
 
Hi Andrew,

I'm not very experienced at the merchant policy, however, if the concern
here is only prevent clear text credit card number in memory or application
data. Using hashed value is an reasonable approach(and compare them using
hashed value also).

BTW, what's the "creditCard.ToHash()" you mentioned? Is this a particular
method of your custom credit card class type? As far as I know, you can
use the component classes under namespace to perform those crypto specific
operations(include hash, encrypt, signing...):

#Generating a Hash
http://msdn2.microsoft.com/en-us/library/w1t5hx6k.aspx

#Verifying a Hash
http://msdn2.microsoft.com/en-us/library/yeyw8w2d.aspx

Also, I would prefer SHA1 to MD5 since SHA1 is naturally stronger.

Hope this also helps.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


This posting is provided "AS IS" with no warranties, and confers no rights.
 
Thanks everyone for all the info. Looks like I was heading down the correct
path here with SHA1 and we all agree.
 
Back
Top