I am trying to make it so that on my project a user who enters a credit card number will have that information encrypted. I am not, however, very familiar with data encryption and public and private keys, so I am not sure on how this data will be stores, whether it will be data stored on the server in a table or whether it will be stored elsewhere, such as the users computer?
How it get's stored is ou to your application. There are really at least two security aspects here:
1) How to let the user send sensitive information to the server without risking third parties from getting that information as it passes over the 'internets'. The answer here is https which is the encrypted form of http. Public key encryption is used to encrypt the http traffic between client and server. The Net::Https in the standard ruby library supports this. There's a brief discussion of how to use https with rails in AWDWR 2nd ed starting on page 612.
2) How to secure such sensitive data on the server. IANAL, but I believe that there are potential legal liabilities if you store CC information and it gets compromised. One approach is not to sore the data, but pass it off to a CC processing service such as PayPal, Amazon FPS (when it goes production), or the like. If you want to store it then you should consider storing it in encrypted form on a server. It's not well documented but I ruby ssl/https code supports internal encryption/decryption, see: http://blog.leetsoft.com/2006/03/14/simple-encryption. As this post points out, you still need to be concerned about compromise of the private key protecting this data. For real security, best practice is to store the data on a separate server behind a firewall which keeps the private key, and have the internet facing server communicate with this server using it's 'public' key over an intranet or VPS.
I was just wondering, 1) does ruby support data
encryption for public and private keys and could someone point me to some good references, and 2) are there any good references out there for how this all works. I understand the concept of public and private keys, just not how the encrption part is working if you need to store data on the users machine, as far as private keys. Or, if someone has done encryption for sensitive data user other methods I would like to hear about those too. Thanks for any and all help,
For general enlightenment on public/private key usage, you might try googling for pgp (or "Pretty good privacy") which should give you what you are looking for.
