Hashing

[Andrew Robinson]

I am working on a pretty simple e-commerce web site that will sell our
company gift cards online. Our company and merchant policy prohibits us from
storing credit card numbers in any way once we clear the transaction using
Pay Flow. To help protect against fraud, I would like to know when the same
card number is used to make more than one purchase in a given period of
time.

Would hashing card numbers and then storing and comparing hashes work? Does
it still adhere to our company policy?

What would work better creditCard.ToHash() or using one of the SHA managed
providers?

-Andy

 

[Guest]

Would hashing card numbers and then storing and comparing hashes work? Does
it still adhere to our company policy?

I´m not a security-expert, but I guess it would work. You only have to
be sure that you do not use any bad algorithm which allows re-hashing.

What you maybe can do... Create a public/private key-pair and delete the
private key.

Then you use the public key for hashing.

I´m not very sure but this should work. Try it out!


Regards,

Martin

 

[Marc Gravell]

IMO that should be OK (not a "legal" opinion ;-p). Soundss pretty normal.

Whenever storing a hash in a persistent system, you should use a known
algorithm, such as SHA, MD5, etc. The CLR GetHashCode() are liable to change
between runtime versions, which would break your system. For instance,
string.GetHashCode() is very different between 1.1 and 2.0.

Marc

 

[Ignacio Machin \( .NET/ C# MVP \)]

Hi,

Would hashing card numbers and then storing and comparing hashes work?
Does it still adhere to our company policy?

Well it depends of what your policy says, IMO (IANAL ) it should be ok as
you can not regenerate the CC# from the hash

What would work better creditCard.ToHash() or using one of the SHA managed
providers?

I will go with something like SHA or MD5 just cause it's standard, later on
if you need to explain yourself you can say you use industry standard ( SHA,
etc ) to generate the hash

 

[Steven Cheng[MSFT]]

Hi Andrew,

I'm not very experienced at the merchant policy, however, if the concern
here is only prevent clear text credit card number in memory or application
data. Using hashed value is an reasonable approach(and compare them using
hashed value also).

BTW, what's the "creditCard.ToHash()" you mentioned? Is this a particular
method of your custom credit card class type? As far as I know, you can
use the component classes under namespace to perform those crypto specific
operations(include hash, encrypt, signing...):

#Generating a Hash
http://msdn2.microsoft.com/en-us/library/w1t5hx6k.aspx

#Verifying a Hash
http://msdn2.microsoft.com/en-us/library/yeyw8w2d.aspx

Also, I would prefer SHA1 to MD5 since SHA1 is naturally stronger.

Hope this also helps.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Andrew Robinson]

Thanks everyone for all the info. Looks like I was heading down the correct
path here with SHA1 and we all agree.