Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Encrypting data in DB for web application (ideas needed)

Posted on 2007-04-06
5
Medium Priority
?
229 Views
Last Modified: 2013-12-12
Hi All

I am looking at building an encrypted web app in PHP on OpenBSD using mysql for backend data storage.

What I need to review is data encryption between 2 users. where the data can't be unencrypted by anyone else and need to ensure everything is kept accessible to the 2 users from any system any where.

I am looking at using two-way encryption of course on this data and one way encryption on the users passwords, but my issue is what should I be looking at to encrypt the data and only allow the receiving user the ability to decrypt the data from the person that submitted it to them. I know public-private keys would work, but I can't store these in the db as a cracker could then pull those stored keys to decrypt, so I need to be a little creative on how I should handle that, maybe keep the keys from others encrypted using the one way encrypted password of the user? if that, then what if the user changes their password, they would then be unable to decrypt the key to decrypt the messages.

Please offer some suggestions, I have a few ideas, but others always allow for ideas you may have not thought out.

Thanks again

James
0
Comment
Question by:jamesmackinnon
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 51

Expert Comment

by:Steve Bink
ID: 18868759
If your database is on the same box as the web server, you'll only have to worry about communication between the server and the client, where ever it may be.  SSL should take care of that.  You can purchase a valid signed certificate at a number of places, but you can also create you own self-signed cert.  Check here for details:

http://slacksite.com/apache/certificate.html

0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 18869441
let your user encrypt the data using GPG or alike, then you can store the encrypted data in the database and only the owner of the private key can decrypt it.
0
 
LVL 2

Accepted Solution

by:
vjc2003 earned 1500 total points
ID: 18869624
one suggestion:
After encrypting message with the key,
append the key used for encryp with message and store this concatenated string in DB
after one more round of encryption with a second key.
You will need to decrypt twice to get the data back and may have some performance issues.
I will recommended it only if data is very sensitive.
You will have to  store this second key in a secure place such as registry(sorry,am not much familiar with Linux).
0
 

Author Comment

by:jamesmackinnon
ID: 18869685
Hey all

256-Bit SSL will be used between client/Server, thats not the issue. The issue is the storing of the data in the DB as to keep it encrypted where not even myself as the administrator would have any possible way to decrypt / recover the users data. It is 100% their responsibility to ensure they don't loose their keys/passwords, if lost, good bye to data. The data being stored is from very sr. People and is of the utmost sensitive where it must never been hacked / read by anyone other then the intended parties.

The system would be a central communications system. Basically, users would go to my system ,create a message for someone else and submit it, the system will then go through a "visual" now encrypting data process (thus, performance/delay not an issue) and will then stored the encrypted data to the DB. it would then notify the receiving user of the message that an encrypted communication event is waiting for them and to please go to the ECS to read the message.

Thus, the message would be created by the sender and can go to more then 1 person (as like email) so each message would have to be encrypted using a key that the sender and receiver could use to encrypt and decrypt a message.

My problem at this point is how do I save this information, make it safe for the users while allowing them to use any PC anywhere (web based) to encrypt and decrypt the messages.

Its a creative project. I am thinking how VJC2003 says, but, the second can't be stored anywhere but in the DB.

I was thinking more on the lines of

all users have keys that are used to encrypt/decrypt messages with all other users on the system. This key is stored in an encrypts table and is encrypted with the users unencrypted one-way password, thus, only if they login with the correct password can it decrypt the encrypt key to decrypt the messages in the system.

I think if its done this way, no one could do anything with the messages unless they know the users password, which will require a min of 8 random chars that must be changed every x amount of day. on password change, it would re-encrypt their encrypts passwords to the new string.

This way, everything could stay on the 1 system and not be system dependant (client side) while allowing all of the control to be in the hands of the user.

What encryption should I be using to store this data in the DB and it has to be PHP or mysql ready (built in) and be of the highest possible level (remember performance is not a huge issue because I am delaying login / logout with a we are now encrypting or we are now decrypting process to allow for the high level of encryption)

Sorry I didn't highlight all of this earlier, just thought of most of it since creating this, maybe this will help with the feedback being given


James
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 18870000
> What encryption should I be using to store this data in the DB and it has to be PHP or mysql ready ..
this way you need the private key of the sender which violates your requirements.

The sender has to encrypt the data herself on the client. Something like GPG as I already suggested
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are times when I have encountered the need to decompress a response from a PHP request. This is how it's done, but you must have control of the request and you can set the Accept-Encoding header.
This article covers the basics of data encryption, what it is, how it works, and why it's important. If you've ever wondered what goes on when you "encrypt" data, you can look here to build a good foundation for your personal learning.
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …
Suggested Courses

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question