Solved

Encrypting data in DB for web application (ideas needed)

Posted on 2007-04-06
5
216 Views
Last Modified: 2013-12-12
Hi All

I am looking at building an encrypted web app in PHP on OpenBSD using mysql for backend data storage.

What I need to review is data encryption between 2 users. where the data can't be unencrypted by anyone else and need to ensure everything is kept accessible to the 2 users from any system any where.

I am looking at using two-way encryption of course on this data and one way encryption on the users passwords, but my issue is what should I be looking at to encrypt the data and only allow the receiving user the ability to decrypt the data from the person that submitted it to them. I know public-private keys would work, but I can't store these in the db as a cracker could then pull those stored keys to decrypt, so I need to be a little creative on how I should handle that, maybe keep the keys from others encrypted using the one way encrypted password of the user? if that, then what if the user changes their password, they would then be unable to decrypt the key to decrypt the messages.

Please offer some suggestions, I have a few ideas, but others always allow for ideas you may have not thought out.

Thanks again

James
0
Comment
Question by:jamesmackinnon
5 Comments
 
LVL 50

Expert Comment

by:Steve Bink
Comment Utility
If your database is on the same box as the web server, you'll only have to worry about communication between the server and the client, where ever it may be.  SSL should take care of that.  You can purchase a valid signed certificate at a number of places, but you can also create you own self-signed cert.  Check here for details:

http://slacksite.com/apache/certificate.html

0
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
let your user encrypt the data using GPG or alike, then you can store the encrypted data in the database and only the owner of the private key can decrypt it.
0
 
LVL 2

Accepted Solution

by:
vjc2003 earned 500 total points
Comment Utility
one suggestion:
After encrypting message with the key,
append the key used for encryp with message and store this concatenated string in DB
after one more round of encryption with a second key.
You will need to decrypt twice to get the data back and may have some performance issues.
I will recommended it only if data is very sensitive.
You will have to  store this second key in a secure place such as registry(sorry,am not much familiar with Linux).
0
 

Author Comment

by:jamesmackinnon
Comment Utility
Hey all

256-Bit SSL will be used between client/Server, thats not the issue. The issue is the storing of the data in the DB as to keep it encrypted where not even myself as the administrator would have any possible way to decrypt / recover the users data. It is 100% their responsibility to ensure they don't loose their keys/passwords, if lost, good bye to data. The data being stored is from very sr. People and is of the utmost sensitive where it must never been hacked / read by anyone other then the intended parties.

The system would be a central communications system. Basically, users would go to my system ,create a message for someone else and submit it, the system will then go through a "visual" now encrypting data process (thus, performance/delay not an issue) and will then stored the encrypted data to the DB. it would then notify the receiving user of the message that an encrypted communication event is waiting for them and to please go to the ECS to read the message.

Thus, the message would be created by the sender and can go to more then 1 person (as like email) so each message would have to be encrypted using a key that the sender and receiver could use to encrypt and decrypt a message.

My problem at this point is how do I save this information, make it safe for the users while allowing them to use any PC anywhere (web based) to encrypt and decrypt the messages.

Its a creative project. I am thinking how VJC2003 says, but, the second can't be stored anywhere but in the DB.

I was thinking more on the lines of

all users have keys that are used to encrypt/decrypt messages with all other users on the system. This key is stored in an encrypts table and is encrypted with the users unencrypted one-way password, thus, only if they login with the correct password can it decrypt the encrypt key to decrypt the messages in the system.

I think if its done this way, no one could do anything with the messages unless they know the users password, which will require a min of 8 random chars that must be changed every x amount of day. on password change, it would re-encrypt their encrypts passwords to the new string.

This way, everything could stay on the 1 system and not be system dependant (client side) while allowing all of the control to be in the hands of the user.

What encryption should I be using to store this data in the DB and it has to be PHP or mysql ready (built in) and be of the highest possible level (remember performance is not a huge issue because I am delaying login / logout with a we are now encrypting or we are now decrypting process to allow for the high level of encryption)

Sorry I didn't highlight all of this earlier, just thought of most of it since creating this, maybe this will help with the feedback being given


James
0
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
> What encryption should I be using to store this data in the DB and it has to be PHP or mysql ready ..
this way you need the private key of the sender which violates your requirements.

The sender has to encrypt the data herself on the client. Something like GPG as I already suggested
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
The viewer will learn how to dynamically set the form action using jQuery.
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now