1

As a non security expert, I'm looking for advice from those who are.

I work with company X who have hired company Y to develop their website. Company Y needs to integrate server-side online payment and has asked company X for the secret (private) key related to their payment account. Of course, secret keys are called that for good reason. So what is the "right" way to do this?

My dilemma is that either X shares the key with Y in as secure a way as possible (with the resultant risk that the secret key is somehow compromised)

OR

Y creates the payment account on X's behalf and integrates the secret key server-side so that no key sharing occurs but Y still has to hand over the payment account to X on completion - including account credentials - which carries the same risk of breach.

What am I missing please?

  • 3
    All payment platforms have testing enviroments where non-production private keys could be used. The "Company Y" should not ask for their customer private keys, but get its own private ones and do all the coding and testing. Once it is going to production enviroment, client (company X in your scenario) should install their private certificates and configure the banking related data in the production server – bradbury9 Aug 06 '20 at 12:05
  • As a coder, recently I coded a service taht used the clients private certificate to sign tax related data. Did all the coding and testing with devel/testing certificates and when going live I helped the client to install the certifficate in the mahine certificate store and to configure the service so it used that certificate. Not only it can be done, but it should be done. The client could provide testing keys to the developer company to help them, but once it is shared the real private key, it should not be considered private anymore – bradbury9 Aug 06 '20 at 12:13
  • @bradbury9 thank you for responding. The issue is that the client is a small company with no technical expertise whatsoever. They are completely reliant on the developer to build and maintain the site. This must be a very common scenario and I'm sure there must be an acceptable solution but unfortunately, your suggestion - while valid - will not work for them. –  Aug 06 '20 at 12:15
  • @bradbury9 Following on from your second comment, I guess it's feasible for the developer to show the client how to configure the production site with the private key, assuming it's not too technical. But as the web developer will have access to the site on an ongoing basis for maintenance purposes, I'm not sure this achieves anything - and perhaps that answers my question. –  Aug 06 '20 at 12:18

1 Answers1

2

Plenty of entities will commonly have access to the private key:

  • Hosting provider may read it at will.
  • Employees of company may read it.
  • Service provider who generated it may store a copy.

We handle this by legal agreements. We trust our hosting providers not to peek at it, because their business model is selling hosting (and implicitly trust), not stealing your private keys. In addition, there may be explicit NDA's and legal accountability.

We trust employees, because of NDA's and a legal framework for holding them accountable.

You see a theme here? It's a private key for payment processing. If you don't trust whomever develops your e-commerce platform to handle this, you shouldn't trust them to develop your e-commerce platform either.

In fact, having competent people handle the key material may be securer than attempting to instruct someone from Company X, who may not know about editors leaving a backup file behind - or transporting it over insecure channels - or all other kinds of mistakes.

Transfer the key to the developer in an as secure fashion as possible. This may be S/MIME-encrypted e-mail, PGP, or a 7zip-archive with a complex password sent in a separate channel (SMS, phonecall, mail etc).

Develop a legal framework for holding Company Y accountable if they leak the key, and specify measures that they should take - such as limit the availability to the minimal set of persons needed and so forth.

vidarlo
  • 12,850
  • 2
  • 35
  • 47
  • Thanks for your insight, vidarlo. While access to private keys should clearly be on a strictly as-needed basis, it's refreshing that you agree there are scenarios where it's essentially necessary to share with a trusted third party. Having researched my question fairly exhaustively before posting here, I was beginning to feel stupid as the consensus seems very much against this under any circumstances (e.g. https://security.stackexchange.com/questions/101560/how-to-securely-send-private-keys). I welcome further opinion, though. –  Aug 07 '20 at 15:49
  • It's worth noting what the key protects - and whom it is intended to protect against. Can you trust third parties not to screw you with regards to your credit card processor? If so, you can trust them with this key. Security is ultimately about managing trust, and cryptographics provide means to enforce it in some scenarios - but not all. – vidarlo Aug 07 '20 at 19:44