WebApp Sec mailing list archives

Re: RDB-based secure data storage

From: "Calum Power" <enune () fribble net>
Date: Fri, 14 May 2004 15:19:26 +1000 (EST)

Excellent! That's Ivan, that's just the sort of thing I was looking for.

Got any idea if there's any libraries/implementations that I might be able
to use to get my head around implementing it myself?

Thanks again!

Cheers,

Calum

Calum Power wrote:

G'day webappsec,

I have been asked by my employer to design a system for storing
sensative
private data collected from the company's clients. They tell me that
this
data MUST be very secure, yet clients must be able to update the
information themselves via a Web-based interface.

My immediate reaction was to use something like GPG/PGP to encrypt the
data before storing it in a RDBMS like MySQL. However this then has the
additional problem of needing the user to edit the data.

My next thought would be to have each clients 'username' be a public GPG
key, and their 'password' be the passphrase to this private key. This of
course would not be overly secure, and the 'administrator' of this would
not be able to update the information without using the users' password.

So, I was just wondering if anyone had come across the same problem.
Perhaps there's a method of encryption that I'm overlooking.


   You can combine encryption methods to achieve the goal:

   1. Generate a private-public key pair for every user.

   2. For each piece of information you store, generate a new secret and
      use it to encrypt information (using symmetrical encryption for
      better performance).

   3. Never store the secret in plain text. Instead, create a copy of
      the secret for every user that has the right to access the
      information, and store the secret encrypting it with their
      public key. When a user want to access a piece of information,
      their private key will be used to decrypt the secret, and then
      the secret will be used to decrypt the actual data.

   4. It would be a good idea to have a special public-private
      key pair, to use it to encrypt all secrets that are generated,
      for backup purposes.

--
ModSecurity (http://www.modsecurity.org)
[ Open source IDS for Web applications ]

Current thread:

RDB-based secure data storage Calum Power (May 13)
- Re: RDB-based secure data storage Ivan Ristic (May 13)
  - Re: RDB-based secure data storage Calum Power (May 14)
    - Re: RDB-based secure data storage Ivan Ristic (May 14)
- <Possible follow-ups>
- RE: RDB-based secure data storage Klevitsky, Alexander (May 13)
- RE: RDB-based secure data storage Michael Silk (May 14)
- RE: RDB-based secure data storage Runion Mark A FGA DOIM WEBMASTER(ctr) (May 14)