Kryptronic Software Support Forum

You are viewing this forum as a guest. Login to an existing account, or create a new account, to reply to topics and to create new topics.

#1 03-13-2018 13:31:02

timberguy
Member
Registered: 01-14-2008
Posts: 140

Offline decryption

I have a client that has three separate stores.  They use an old yahoo widgit for decrypting their offline credit card data.  The third store, they are just beginning to actually use.  They got the first order using offline credit card and the old decryption tool does not work.   I went in to the config.php file in the /ccp8-private and changed the info for $config['core.cryptkey'] =   to the same as it is on the otehr two websites, but it still does not seem to work.

First, is there something else I would need to do?  Seems like there should be an easy way to reset the encrpyt key. Running the installer does not bring it back up. Is there a place within the admin area t oreset it that I can not find?

Second, do you offer a better up to date tool for doing this?

Offline

 

#2 03-14-2018 10:34:45

webmaster
Administrator
From: York, PA
Registered: 04-20-2001
Posts: 19512
Website

Re: Offline decryption

Changing the encryption key was not a good idea.  Change it back, please.  Then update the Yahoo! widget and enter the encryption key in the config file.


Nick Hendler

Offline

 

#3 03-14-2018 10:55:57

timberguy
Member
Registered: 01-14-2008
Posts: 140

Re: Offline decryption

As I posted, they have three stores. All different, but two use the same key, the third one needs to be the same as the first two other wise they have to keep changing the widget back and forth.

Why was  it not a good idea? it now works, as when tested, they tested it on a new computer that did not have the key set up in the widgit. when testing on the machine they usually use to decrypt, it now works.

Offline

 

#4 03-15-2018 07:49:11

webmaster
Administrator
From: York, PA
Registered: 04-20-2001
Posts: 19512
Website

Re: Offline decryption

Why was  it not a good idea?

Every bit of data that gets encrypted by the software uses that key.  Which means you have data already in your system that used the old key.  Things like processing gateway passwords, realtime shipping access info, etc.  So you may have fixed your ability to decrypt this data, but this change basically made every bit of stored sensitive data in your install un-encryptable. 

Furthermore, I hope you are aware the processing method you're using is not recommended for use in any type of production environment at all.  So much so that it's been completely removed from K9.  We can't recommend strongly enough that you abandon this methodology for processing cards, and use a real processing gateway that provides your sites the security they require in this day and age, and that puts somebody else on the hook (the processor) in the event there's a security-related problem.


Nick Hendler

Offline

 

#5 03-15-2018 08:07:56

timberguy
Member
Registered: 01-14-2008
Posts: 140

Re: Offline decryption

Good info.   As for the other things that may have been encrypted, the software had never been used as a store just a website. It was just being opened up as a store so there was really no data yet to have been encrypted.  I'll confer with the site owner on your suggestions on not using this method any longer.

Offline

 

#6 03-15-2018 09:17:09

webmaster
Administrator
From: York, PA
Registered: 04-20-2001
Posts: 19512
Website

Re: Offline decryption

Very good.  Thanks for the post back.


Nick Hendler

Offline

 

Board footer