Encrypting data in DB for web application (ideas needed)

Hi All

I am looking at building an encrypted web app in PHP on OpenBSD using mysql for backend data storage.

What I need to review is data encryption between 2 users. where the data can't be unencrypted by anyone else and need to ensure everything is kept accessible to the 2 users from any system any where.

I am looking at using two-way encryption of course on this data and one way encryption on the users passwords, but my issue is what should I be looking at to encrypt the data and only allow the receiving user the ability to decrypt the data from the person that submitted it to them. I know public-private keys would work, but I can't store these in the db as a cracker could then pull those stored keys to decrypt, so I need to be a little creative on how I should handle that, maybe keep the keys from others encrypted using the one way encrypted password of the user? if that, then what if the user changes their password, they would then be unable to decrypt the key to decrypt the messages.

Please offer some suggestions, I have a few ideas, but others always allow for ideas you may have not thought out.

Thanks again

James
jamesmackinnonAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Steve BinkCommented:
If your database is on the same box as the web server, you'll only have to worry about communication between the server and the client, where ever it may be.  SSL should take care of that.  You can purchase a valid signed certificate at a number of places, but you can also create you own self-signed cert.  Check here for details:

http://slacksite.com/apache/certificate.html

0
ahoffmannCommented:
let your user encrypt the data using GPG or alike, then you can store the encrypted data in the database and only the owner of the private key can decrypt it.
0
vjc2003Commented:
one suggestion:
After encrypting message with the key,
append the key used for encryp with message and store this concatenated string in DB
after one more round of encryption with a second key.
You will need to decrypt twice to get the data back and may have some performance issues.
I will recommended it only if data is very sensitive.
You will have to  store this second key in a secure place such as registry(sorry,am not much familiar with Linux).
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jamesmackinnonAuthor Commented:
Hey all

256-Bit SSL will be used between client/Server, thats not the issue. The issue is the storing of the data in the DB as to keep it encrypted where not even myself as the administrator would have any possible way to decrypt / recover the users data. It is 100% their responsibility to ensure they don't loose their keys/passwords, if lost, good bye to data. The data being stored is from very sr. People and is of the utmost sensitive where it must never been hacked / read by anyone other then the intended parties.

The system would be a central communications system. Basically, users would go to my system ,create a message for someone else and submit it, the system will then go through a "visual" now encrypting data process (thus, performance/delay not an issue) and will then stored the encrypted data to the DB. it would then notify the receiving user of the message that an encrypted communication event is waiting for them and to please go to the ECS to read the message.

Thus, the message would be created by the sender and can go to more then 1 person (as like email) so each message would have to be encrypted using a key that the sender and receiver could use to encrypt and decrypt a message.

My problem at this point is how do I save this information, make it safe for the users while allowing them to use any PC anywhere (web based) to encrypt and decrypt the messages.

Its a creative project. I am thinking how VJC2003 says, but, the second can't be stored anywhere but in the DB.

I was thinking more on the lines of

all users have keys that are used to encrypt/decrypt messages with all other users on the system. This key is stored in an encrypts table and is encrypted with the users unencrypted one-way password, thus, only if they login with the correct password can it decrypt the encrypt key to decrypt the messages in the system.

I think if its done this way, no one could do anything with the messages unless they know the users password, which will require a min of 8 random chars that must be changed every x amount of day. on password change, it would re-encrypt their encrypts passwords to the new string.

This way, everything could stay on the 1 system and not be system dependant (client side) while allowing all of the control to be in the hands of the user.

What encryption should I be using to store this data in the DB and it has to be PHP or mysql ready (built in) and be of the highest possible level (remember performance is not a huge issue because I am delaying login / logout with a we are now encrypting or we are now decrypting process to allow for the high level of encryption)

Sorry I didn't highlight all of this earlier, just thought of most of it since creating this, maybe this will help with the feedback being given


James
0
ahoffmannCommented:
> What encryption should I be using to store this data in the DB and it has to be PHP or mysql ready ..
this way you need the private key of the sender which violates your requirements.

The sender has to encrypt the data herself on the client. Something like GPG as I already suggested
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
PHP

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.