Re: [PHP] Advice with encrypting+storing sensitive data
Would u teach me how to setup the OpenSSL and the engine for the apache web server in order to achieve the 128 bits SSL protection? Actually, I have tried so many times but still failed to do so... First of all, there were errors occurred when I compiled the Openssl engine, It seemed looking for a wrong file paths itself, however, I don't know how to correct it... Would u like to help me please? thx a lot Bahwi [EMAIL PROTECTED] ¼¶¼g©ó¶l¥ó·s»D :[EMAIL PROTECTED] That's a big question. The most secure way, using either mcrypt or PGP, is to have an application on the client's side that does the encryption and the decryptiong. This is probably the best solution. Heavily encrypt things on both sides, and this assumes the client side is secure. Barring this, you're going to have holes no matter what. Especially with man in the middle attacks (MITM). Use SSL, 128-bit SSL. This will help the most. The next best thing is to store it in session variables, but build your own system perhaps, and yes, encrypt it lightly with some system and a system passphrase. Clean up the sessions as soon as possible. And store a bunch of other data in there. Perhaps store the passphrase as the variable 'Height' or 'Bytes' or something, and store 'Password' 'Passphrase' with dummy data. Not too much, you want to throw the person off as much as possible. Then, you need to obfuscate or preferably, encode your script so know one can figure out your scheme. Hope this helps some. --Joseph Guhlin http://www.josephguhlin.com/ Web Programmer / Unix Consultant / PHP Programmer -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Advice with encrypting+storing sensitive data
Sorry, OpenSSL is base in FreeBSD, so I didn't have to set it up myself. You can check www.openssl.org and www.apache.org. You still have to buy a cert though. For that, try: www.verisign.com and www.instantssl.com --- seems alot cheaper, no experience with them however But chances are your best bet will be to just get a webhost with SSL support already and buy the cert. That way, if there are errors with openssl you don't have to fix them, someone else does. As far as anything else, see my sig, I gotta charge for Unix work so I can make the bills. That should help though. --Joseph Guhlin http://www.josephguhlin.com/ Web Programmer / Unix Consultant / PHP Programmer -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Advice with encrypting+storing sensitive data
Thanks Bahwi, I agree with you regarding the client-side aspect. But since we are talking about a regular web-based application in php I think I will have to deal with that. The other security concerns are already addressed, such as the use of SLL to encrypt the traffic and possibly the use of an encoder do hide the source code. I do not think I understood your ideia : The next best thing is to store it in session variables, but build your own system perhaps, and yes, encrypt it lightly with some system and a system passphrase __ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Advice with encrypting+storing sensitive data
Sorry, it was late at night. I'm glad you have the SSL and everything else already taken care of. What I meant was for you to build your own session system, so that it is secure, instead of using PHP's built in session system. Someone once said that it has a 1% chance of cleaning up the sessions, and that would be the secure data(the passphrase, even if encrypted) on the system. If you build your own, you can change that 1%. There may be another way. Also, if you build it yourself, you will understand what happens exactly and will be able to hide the data perhaps a bit more than the regular sessions. I hope this makes more sense. If not, tell me and I'll try to explain it again. Sorry! =) Robert Mena wrote: I do not think I understood your ideia : The next best thing is to store it in session variables, but build your own system perhaps, and yes, encrypt it lightly with some system and a system passphrase --Joseph Guhlin http://www.josephguhlin.com/ Web Programmer / Unix Consultant / PHP Programmer -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Advice with encrypting+storing sensitive data
Hi, I need to develop an application where the protection of the data (to be stored on a database) should be very important (perhaps the principal requirement). THe goal is to have the data stored in a way that even the admin or anyone that hacks the web and/or database server could not (or easily) recover the original data. First of all I am not a security expert and the protection need not to be military-grade, just strong enough to make things harder. I would like to share a couple of ideias but mostly interestered in phpers experiences and opinions. 1) Use mcrypt The user should have to create a phrase and all sensitive data will be stored using this phrase. Since the phrase will not be hardcoded in the php scripts, even if the web is hacked it will not be recovered. For each row I would store the encrypted value and the initialization vector. In order to recover the value at the beginning of the session (when the user logs in) I could store the phrase as session variable (encrypted with mcrypt and a system phrase?) If the user decides to change the phrase a big update in all encrypted rows/fields would be necessary. 2) Use PGP Basically the same ideia but differnt encryption tool/scheme. Not sure how to implement or if there is any gain. Well any tips/sugestions/opinions are welcome. __ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Advice with encrypting+storing sensitive data
That's a big question. The most secure way, using either mcrypt or PGP, is to have an application on the client's side that does the encryption and the decryptiong. This is probably the best solution. Heavily encrypt things on both sides, and this assumes the client side is secure. Barring this, you're going to have holes no matter what. Especially with man in the middle attacks (MITM). Use SSL, 128-bit SSL. This will help the most. The next best thing is to store it in session variables, but build your own system perhaps, and yes, encrypt it lightly with some system and a system passphrase. Clean up the sessions as soon as possible. And store a bunch of other data in there. Perhaps store the passphrase as the variable 'Height' or 'Bytes' or something, and store 'Password' 'Passphrase' with dummy data. Not too much, you want to throw the person off as much as possible. Then, you need to obfuscate or preferably, encode your script so know one can figure out your scheme. Hope this helps some. --Joseph Guhlin http://www.josephguhlin.com/ Web Programmer / Unix Consultant / PHP Programmer -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php