Securing the Transaction Key when using SIM

turnipcyberveg — Sat, 10 Nov 2012 21:05:14 GMT

How should the transaction key be stored when implementing SIM in PHP on a LAMP server?

The code samples/SDK for the PHP solution has a placeholder for the transaction key right on the sim.php page, which I don't think is the most secure way to store the transaction key.

Should I keep the transaction key in my mysql database and if so, what's the right way to have it encrypted while stored in the database and then in plain text in a variable when used in the PHP code? I'm asking for the 'right way' because if this 'the'/'a' good way to store the transaction key, then there should be a recommended way to do it as I know I'm not smart enough to invent my own encryption scheme.

Perhaps I should store it in an encrypted file. If so, I again ask, what's the right way to manage the file so I can rely on trusted cryptographic methods?

Are there other options I'm not thinking of, or am I missing the point all together? I don't see anybody else asking this question so maybe I am missing something.

Thanks in advance!

Re: Securing the Transaction Key when using SIM

stymiee — Tue, 13 Nov 2012 13:38:02 GMT

Just store it outside of your web root. That's all you need to do.

topic Re: Securing the Transaction Key when using SIM in Integration and Testing

Securing the Transaction Key when using SIM

Re: Securing the Transaction Key when using SIM