RE: RDB-based secure data storage

["Michael Silk" <silkm () hushmail com>]

Hi Calum,

 First, I think you need to ask some questions.

 1. Secure from who ?
 2. Secure from viewing, or secure from change, or both.

 Only after you have answered these questions can you solve your problem,
 and the solution will become easier :)

-- Michael

-----Original Message-----
From: Calum Power [mailto:enune () fribble net]
Sent: Thursday, 13 May 2004 4:03 PM
To: webappsec () securityfocus com
Subject: RDB-based secure data storage


G'day webappsec,

I have been asked by my employer to design a system for storing sensative
private data collected from the company's clients. They tell me that
this
data MUST be very secure, yet clients must be able to update the
information themselves via a Web-based interface.

My immediate reaction was to use something like GPG/PGP to encrypt the
data before storing it in a RDBMS like MySQL. However this then has the
additional problem of needing the user to edit the data.

My next thought would be to have each clients 'username' be a public
GPG
key, and their 'password' be the passphrase to this private key. This
of
course would not be overly secure, and the 'administrator' of this would
not be able to update the information without using the users' password.

So, I was just wondering if anyone had come across the same problem.
Perhaps there's a method of encryption that I'm overlooking.

Cheers,

Calum

--
Calum Power
Cultural Jammer
Security Enthusiast
Hopeless Cynic

enune () fribble net
http://www.fribble.net



Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434

Promote security and make money with the Hushmail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427