Dom
Member
Registered: 13th Sep 03
User status: Offline
|
Has anyone worked with encrypting and storing sensitive information like addresses, DOBs, telephone numbers, CRBs etc (not CC info)? Just after best practices and ideas for this sort of thing, especially with regards to encryption SALT's and best ways to obtain them (obviously don't want to store it in php scripts etc).
Tar 
|
xa0s
Banned
Registered: 4th Mar 08
Location: Dartford, Kent Car: Turbo'd Fabia vRS
User status: Offline
|
Um only with passwords (one way encryption). I'd sooner make sure my box/code is secure in the first place. 
|
Dom
Member
Registered: 13th Sep 03
User status: Offline
|
quote:
Originally posted by xa0s
Um only with passwords (one way encryption). I'd sooner make sure my box/code is secure in the first place.
Hashes
Box security is obviously important but i'm wanting to secure the stored data as CRB information is going to be stored and it's a bit of a grey area in terms of handling it digitally (CRB data is suppose to be under lock and key and no one can view the data unless authorised) - hence encryption.
|
xa0s
Banned
Registered: 4th Mar 08
Location: Dartford, Kent Car: Turbo'd Fabia vRS
User status: Offline
|
I'm interested in this, I've never done encryption before, not sure how much help we will get on here though.
|
Sam
Moderator
Premium Member
Registered: 24th Dec 99
Location: West Midlands
User status: Offline
|
Yes obviously make sure the physical server is secure, and that whatever web-based system you use is accessed entirely through SSL.
I use a variety of methods for any online applications I make, what language are you using, is it PHP?
|
Dom
Member
Registered: 13th Sep 03
User status: Offline
|
quote:
Originally posted by Sam
Yes obviously make sure the physical server is secure, and that whatever web-based system you use is accessed entirely through SSL.
I use a variety of methods for any online applications I make, what language are you using, is it PHP?
Yup, PHP.
I've already spoken to the client about getting an SSL certificate, but they don't seem to be that interested  Primarily though i want to lock down the data (it doesn't have to be the whole DB, just certain tables) so other developers can't view it without access to the web-app as well as in the situation the box is compromised.
I'm also wonder what the best method is for obtaining the SALT for encryption as i don't want to be storing that in the PHP (zend is out etc). I'm guessing something obtained from user logged in is the best way, but not sure what.
|
ENB
Member
Registered: 24th Apr 06
User status: Offline
|
AES Encryption:
http://dev.mysql.com/doc/refman/5.1/en/encryption-functions.html
Also if you're client isn't going to bother with SSL (implying they're happy for the information to be transmitted as plain text) then I wouldn't really worry about encrypting the data in the database, as they clearly don't give a shit.
|
Dom
Member
Registered: 13th Sep 03
User status: Offline
|
quote:
Originally posted by ENB
AES Encryption:
http://dev.mysql.com/doc/refman/5.1/en/encryption-functions.html
Also if you're client isn't going to bother with SSL (implying they're happy for the information to be transmitted as plain text) then I wouldn't really worry about encrypting the data in the database, as they clearly don't give a shit.
Cheers, been reading a fair amount into AES and MySQL. But as said, it's the SALT and AES password that i really want ideas/best practices for.
SSL only secures the comms between server and client, the actual data will still be unencrypted so it doesn't help if the box was compromised.
|
ENB
Member
Registered: 24th Apr 06
User status: Offline
|
quote:
Originally posted by Dom
quote:
Originally posted by ENB
AES Encryption:
http://dev.mysql.com/doc/refman/5.1/en/encryption-functions.html
Also if you're client isn't going to bother with SSL (implying they're happy for the information to be transmitted as plain text) then I wouldn't really worry about encrypting the data in the database, as they clearly don't give a shit.
SSL only secures the comms between server and client, the actual data will still be unencrypted so it doesn't help if the box was compromised.
Yea, I was just drawing the conclusion that if the client doesn't care about encrypting the communication they probably don't care about encrypting the data either.
I've personally never used the AES encryption (only MD5/SHA for password hashing) but I would imagine storing your salt in a separate (none web accessible) file and securing your server (you could detect a break in and destroy the file in that case).
Taking something from the user for the salt is a nice idea the problem is you couldn't rely on anything automated (browser, cookies, etc) to be the same each time. Though I suppose you could use a user defined password/phrase or something like that.
|
