Encrypting data in DB for web application (ideas needed)
Posted on 2007-04-06
I am looking at building an encrypted web app in PHP on OpenBSD using mysql for backend data storage.
What I need to review is data encryption between 2 users. where the data can't be unencrypted by anyone else and need to ensure everything is kept accessible to the 2 users from any system any where.
I am looking at using two-way encryption of course on this data and one way encryption on the users passwords, but my issue is what should I be looking at to encrypt the data and only allow the receiving user the ability to decrypt the data from the person that submitted it to them. I know public-private keys would work, but I can't store these in the db as a cracker could then pull those stored keys to decrypt, so I need to be a little creative on how I should handle that, maybe keep the keys from others encrypted using the one way encrypted password of the user? if that, then what if the user changes their password, they would then be unable to decrypt the key to decrypt the messages.
Please offer some suggestions, I have a few ideas, but others always allow for ideas you may have not thought out.