I'm currently looking at 3.20, so pardon me if these have been fixed in 3.30. However, I've identified several issues with EncryptionService.EncryptText method which essentially makes it useless at encryption:
1. The default key that is randomly-generated only has about 50 bits of entropy (16 characters with possible values of 0-9)
2. The encryption key is stored in the database (If an attacker can get the encrypted credit cards out of the database, what stops them from getting the encryption key?) It should be moved to a config file or somewhere else.
3. The IV is the same for each encryption. The IV should be randomly-generated and stored with the encrypted data.
4. Why are we using TripleDES? It's not necessarily a security issue--it's not broken that I know of--but it still makes me, and plenty of other people, uneasy. Switch to AES.
I can provide more details on why these are issues if requested. Or is the general feeling that nopCommerce doesn't care because we shouldn't be storing credit cards in the database anyway? If so, maybe we should remove the functionality to store credit cards if we're not going to fix the above security issues.
Thanks,
Kevin