corsasport.co.uk
 

Corsa Sport » Message Board » Off Day » Geek Day » MySQL Encryption and Storing Sensitive Information


New Topic

New Poll
  Subscribe | Add to Favourites

You are not logged in and may not post or reply to messages. Please log in or create a new account or mail us about fixing an existing one - register@corsasport.co.uk

There are also many more features available when you are logged in such as private messages, buddy list, location services, post search and more.


Author MySQL Encryption and Storing Sensitive Information
Dom
Member

Registered: 13th Sep 03
User status: Offline
9th Nov 10 at 00:39   View User's Profile U2U Member Reply With Quote

Has anyone worked with encrypting and storing sensitive information like addresses, DOBs, telephone numbers, CRBs etc (not CC info)? Just after best practices and ideas for this sort of thing, especially with regards to encryption SALT's and best ways to obtain them (obviously don't want to store it in php scripts etc).

Tar
xa0s
Banned

Registered: 4th Mar 08
Location: Dartford, Kent Car: Turbo'd Fabia vRS
User status: Offline
9th Nov 10 at 02:44   View User's Profile U2U Member Reply With Quote

Um only with passwords (one way encryption). I'd sooner make sure my box/code is secure in the first place.
Dom
Member

Registered: 13th Sep 03
User status: Offline
9th Nov 10 at 03:57   View User's Profile U2U Member Reply With Quote

quote:
Originally posted by xa0s
Um only with passwords (one way encryption). I'd sooner make sure my box/code is secure in the first place.


Hashes

Box security is obviously important but i'm wanting to secure the stored data as CRB information is going to be stored and it's a bit of a grey area in terms of handling it digitally (CRB data is suppose to be under lock and key and no one can view the data unless authorised) - hence encryption.
xa0s
Banned

Registered: 4th Mar 08
Location: Dartford, Kent Car: Turbo'd Fabia vRS
User status: Offline
9th Nov 10 at 06:25   View User's Profile U2U Member Reply With Quote

I'm interested in this, I've never done encryption before, not sure how much help we will get on here though.
Sam
Moderator
Premium Member


Registered: 24th Dec 99
Location: West Midlands
User status: Offline
9th Nov 10 at 08:53   View User's Profile U2U Member Reply With Quote

Yes obviously make sure the physical server is secure, and that whatever web-based system you use is accessed entirely through SSL.

I use a variety of methods for any online applications I make, what language are you using, is it PHP?
Dom
Member

Registered: 13th Sep 03
User status: Offline
9th Nov 10 at 12:38   View User's Profile U2U Member Reply With Quote

quote:
Originally posted by Sam
Yes obviously make sure the physical server is secure, and that whatever web-based system you use is accessed entirely through SSL.

I use a variety of methods for any online applications I make, what language are you using, is it PHP?


Yup, PHP.
I've already spoken to the client about getting an SSL certificate, but they don't seem to be that interested Primarily though i want to lock down the data (it doesn't have to be the whole DB, just certain tables) so other developers can't view it without access to the web-app as well as in the situation the box is compromised.
I'm also wonder what the best method is for obtaining the SALT for encryption as i don't want to be storing that in the PHP (zend is out etc). I'm guessing something obtained from user logged in is the best way, but not sure what.
ENB
Member

Registered: 24th Apr 06
User status: Offline
9th Nov 10 at 12:45   View User's Profile U2U Member Reply With Quote

AES Encryption:

http://dev.mysql.com/doc/refman/5.1/en/encryption-functions.html

Also if you're client isn't going to bother with SSL (implying they're happy for the information to be transmitted as plain text) then I wouldn't really worry about encrypting the data in the database, as they clearly don't give a shit.
Dom
Member

Registered: 13th Sep 03
User status: Offline
9th Nov 10 at 14:41   View User's Profile U2U Member Reply With Quote

quote:
Originally posted by ENB
AES Encryption:

http://dev.mysql.com/doc/refman/5.1/en/encryption-functions.html

Also if you're client isn't going to bother with SSL (implying they're happy for the information to be transmitted as plain text) then I wouldn't really worry about encrypting the data in the database, as they clearly don't give a shit.


Cheers, been reading a fair amount into AES and MySQL. But as said, it's the SALT and AES password that i really want ideas/best practices for.

SSL only secures the comms between server and client, the actual data will still be unencrypted so it doesn't help if the box was compromised.

ENB
Member

Registered: 24th Apr 06
User status: Offline
10th Nov 10 at 12:56   View User's Profile U2U Member Reply With Quote

quote:
Originally posted by Dom
quote:
Originally posted by ENB
AES Encryption:

http://dev.mysql.com/doc/refman/5.1/en/encryption-functions.html

Also if you're client isn't going to bother with SSL (implying they're happy for the information to be transmitted as plain text) then I wouldn't really worry about encrypting the data in the database, as they clearly don't give a shit.


SSL only secures the comms between server and client, the actual data will still be unencrypted so it doesn't help if the box was compromised.




Yea, I was just drawing the conclusion that if the client doesn't care about encrypting the communication they probably don't care about encrypting the data either.

I've personally never used the AES encryption (only MD5/SHA for password hashing) but I would imagine storing your salt in a separate (none web accessible) file and securing your server (you could detect a break in and destroy the file in that case).

Taking something from the user for the salt is a nice idea the problem is you couldn't rely on anything automated (browser, cookies, etc) to be the same each time. Though I suppose you could use a user defined password/phrase or something like that.

 
New Topic

New Poll

  Related Threads Author Forum Replies Views Last Post
eBay lately Ryan L General Chat 18 310
10th Dec 04 at 18:53
by the_legend_of_yrag
 
Server Help Jodi_the_g Geek Day 7 1459
19th Jan 06 at 15:18
by Jodi_the_g
 
PHP Sessions (maxlifetime) Dom Geek Day 40 2605
22nd May 10 at 08:48
by Dom
 

Corsa Sport » Message Board » Off Day » Geek Day » MySQL Encryption and Storing Sensitive Information 28 database queries in 0.0161452 seconds