[PHP-DB] Security question [was Searchable/Sortable Database Fields with MySQL/PHP]
This is an issue I've been thinking about for an application we are developing. Is it worth encrypting data on the database tables when anyone who can access the application itself - or better still the server - could readily access the encrypted data? Assuming SSL connections, secure server, etc, would you also encrypt on the DB? Thanks, Jeffrey Micah Stevens wrote: Oh! Also, there's built in mysql functions for encryption, I forgot about that, so you can still search, like this: insert into table set name_field = AES_ENCRYPT('Some name', 'secret key'); select * from table where AES_DECRYPT(name_field,'secret key') LIKE '%some'; Make sense? You'll want an SSL connection to the database of course, and anyone that has any decent access to the server memory would be able to get the encryption key, but if you're careful it would work. -Micah On Tuesday 12 July 2005 2:53 pm, Micah Stevens wrote: Just do all your searching/sorting in PHP.. it would be slower, and if your dataset is very large (sounds like it might be the case) it would be impossible.. So that might be out of the question.. A bit of system engineering might find a solution too, consider which fields you need to search/sort by, and by possibly limiting those somewhat to just what is absolutely necessary, you might be able to get by not encrypting those columns. Another idea would be to provide hinting columns, essentially providing just enough data in those columns to be able to sort with, but not enough to give away the data. i.e. just the first 2 characters of each name. This would allow you to search and get a smaller dataset from the database, something you could decrypt in php, and then search further, possibly making it manageable. Hope that helps, -Micah On Tuesday 12 July 2005 2:36 pm, Matt McNeil wrote: Greetings, I need to securely store lots of sensitive contact information and notes in a (MySQL or other freely available) database that will be stored on a database server which I do not have direct access to. This database will be accessed by a PHP application that I am developing. However, I also need to be able to search/sort these data with the database functions (SELECT, ORDER BY, etc) so simple PASSWORD style encryption of specific fields would not work. (For example, I need to encrypt contacts' names, but need to be able to sort results by name). (I realize I could load the entire table into memory with PHP and process/search/sort it there, but that's obviously not a very good solution). Ideally I would like to encrypt entire tables. An encrypted file system is not really an option, because the goal is to prevent loss if the database server is hacked (in addition, I wouldn't be able to install an encrypted file system on the database server). My sense is that this is a difficult problem. However, I made the mistake of promising this functionality, so I'm scrambling to figure out some kind of solution. Any suggestions? Thanks so much! Matt -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Security question [was Searchable/Sortable Database Fields with MySQL/PHP]
Assuming they have access to the PHP files, all decoding keys would be available there, so while encrypting the database would definitely slow up the attacker, it would only do so until they discovered the decoding method. Any experienced hacker would find this in no time. If you pre-compile the PHP code so that the decoding keys are not as readily available, this would help greatly. Sounds like your major issue is server security here, and not data security? Shouldn't you concentrate on keeping them out of the server in the first place? If that's accomplished, and you don't have network ports open to the MySQL server, and your scripts use encoding/decoding keys that are defined in locations not available to HTTP, you should be in pretty good shape. Just seems like you're trying to fight the wrong battle here. Although this should be considered too. If you're only responsible for this second line of defense, then I think this is about all you can do with the available technology that you mention. I haven't researched this much though, so perhaps someone else on the list can offer better suggestions. -Micah On Wednesday 13 July 2005 2:50 am, Jeffrey wrote: This is an issue I've been thinking about for an application we are developing. Is it worth encrypting data on the database tables when anyone who can access the application itself - or better still the server - could readily access the encrypted data? Assuming SSL connections, secure server, etc, would you also encrypt on the DB? Thanks, Jeffrey Micah Stevens wrote: Oh! Also, there's built in mysql functions for encryption, I forgot about that, so you can still search, like this: insert into table set name_field = AES_ENCRYPT('Some name', 'secret key'); select * from table where AES_DECRYPT(name_field,'secret key') LIKE '%some'; Make sense? You'll want an SSL connection to the database of course, and anyone that has any decent access to the server memory would be able to get the encryption key, but if you're careful it would work. -Micah On Tuesday 12 July 2005 2:53 pm, Micah Stevens wrote: Just do all your searching/sorting in PHP.. it would be slower, and if your dataset is very large (sounds like it might be the case) it would be impossible.. So that might be out of the question.. A bit of system engineering might find a solution too, consider which fields you need to search/sort by, and by possibly limiting those somewhat to just what is absolutely necessary, you might be able to get by not encrypting those columns. Another idea would be to provide hinting columns, essentially providing just enough data in those columns to be able to sort with, but not enough to give away the data. i.e. just the first 2 characters of each name. This would allow you to search and get a smaller dataset from the database, something you could decrypt in php, and then search further, possibly making it manageable. Hope that helps, -Micah On Tuesday 12 July 2005 2:36 pm, Matt McNeil wrote: Greetings, I need to securely store lots of sensitive contact information and notes in a (MySQL or other freely available) database that will be stored on a database server which I do not have direct access to. This database will be accessed by a PHP application that I am developing. However, I also need to be able to search/sort these data with the database functions (SELECT, ORDER BY, etc) so simple PASSWORD style encryption of specific fields would not work. (For example, I need to encrypt contacts' names, but need to be able to sort results by name). (I realize I could load the entire table into memory with PHP and process/search/sort it there, but that's obviously not a very good solution). Ideally I would like to encrypt entire tables. An encrypted file system is not really an option, because the goal is to prevent loss if the database server is hacked (in addition, I wouldn't be able to install an encrypted file system on the database server). My sense is that this is a difficult problem. However, I made the mistake of promising this functionality, so I'm scrambling to figure out some kind of solution. Any suggestions? Thanks so much! Matt -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] Security Question
Hi The page/form will be requested over a non secure connection. When the form is submitted the browser establishes a secure connection to the server and then sends the data, so the data is sent securely. Peter -Original Message- From: Micah Stevens [mailto:[EMAIL PROTECTED] Sent: 17 January 2005 03:47 To: php-db@lists.php.net Subject: Re: [PHP-DB] Security Question But what I'm saying is that if you're submitting a form from an unsecured page, to a script on a secure server, the data will still be encrypted. Anyone know this for sure to be correct? It sure makes sense this way. On Sunday 16 January 2005 07:27 pm, Peter Lovatt wrote: Hi It is better from a security point of view to have a secure login. The secure server encrypts the data between the browser and the server, making it impossible to read on its journey from you to the server. However whether it is a major security problem is another question. To view the traffic somebody must have access to the servers that route your request, which isn't easy. They then have to spot your traffic amongst all the other web traffic. If it is the login for your Swiss bank account where you hid the million you made without declaring tax then it should be secure - no question. On the other hand if it is just to login to see when your books will be delivered, with no sensitive financial information then the risk is smaller and it is unlikely that anyone is trying too hard to get your login, so an insecure login carries less risk. You could always host the login page on a non secure server but post the form to a secure server. Peter -Original Message- From: Micah Stevens [mailto:[EMAIL PROTECTED] Sent: 17 January 2005 02:46 To: php-db@lists.php.net Subject: Re: [PHP-DB] Security Question If it submits to a secure server the form data will be encrypted before transmission I believe. At least that's my understanding, and that seems to be how ebay does it for example. Once you log-in, it submits to a secure page. -Micah On Sunday 16 January 2005 06:38 pm, Chris Payne wrote: Hi everyone, I have a security question, I want to see if I am right or wrong. I have programmed a system with PHP and MySQL, the main system resides on a secure server, but the client wants the login page on a NON-Secure server for marketing purposes. Am I the only one who thinks this is a major security concern? Chris -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DB] Security Question
Hi everyone, I have a security question, I want to see if I am right or wrong. I have programmed a system with PHP and MySQL, the main system resides on a secure server, but the client wants the login page on a NON-Secure server for marketing purposes. Am I the only one who thinks this is a major security concern? Chris -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.300 / Virus Database: 265.6.13 - Release Date: 1/16/2005
Re: [PHP-DB] Security Question
If it submits to a secure server the form data will be encrypted before transmission I believe. At least that's my understanding, and that seems to be how ebay does it for example. Once you log-in, it submits to a secure page. -Micah On Sunday 16 January 2005 06:38 pm, Chris Payne wrote: Hi everyone, I have a security question, I want to see if I am right or wrong. I have programmed a system with PHP and MySQL, the main system resides on a secure server, but the client wants the login page on a NON-Secure server for marketing purposes. Am I the only one who thinks this is a major security concern? Chris -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] Security Question
Hi It is better from a security point of view to have a secure login. The secure server encrypts the data between the browser and the server, making it impossible to read on its journey from you to the server. However whether it is a major security problem is another question. To view the traffic somebody must have access to the servers that route your request, which isn't easy. They then have to spot your traffic amongst all the other web traffic. If it is the login for your Swiss bank account where you hid the million you made without declaring tax then it should be secure - no question. On the other hand if it is just to login to see when your books will be delivered, with no sensitive financial information then the risk is smaller and it is unlikely that anyone is trying too hard to get your login, so an insecure login carries less risk. You could always host the login page on a non secure server but post the form to a secure server. Peter -Original Message- From: Micah Stevens [mailto:[EMAIL PROTECTED] Sent: 17 January 2005 02:46 To: php-db@lists.php.net Subject: Re: [PHP-DB] Security Question If it submits to a secure server the form data will be encrypted before transmission I believe. At least that's my understanding, and that seems to be how ebay does it for example. Once you log-in, it submits to a secure page. -Micah On Sunday 16 January 2005 06:38 pm, Chris Payne wrote: Hi everyone, I have a security question, I want to see if I am right or wrong. I have programmed a system with PHP and MySQL, the main system resides on a secure server, but the client wants the login page on a NON-Secure server for marketing purposes. Am I the only one who thinks this is a major security concern? Chris -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Security Question
But what I'm saying is that if you're submitting a form from an unsecured page, to a script on a secure server, the data will still be encrypted. Anyone know this for sure to be correct? It sure makes sense this way. On Sunday 16 January 2005 07:27 pm, Peter Lovatt wrote: Hi It is better from a security point of view to have a secure login. The secure server encrypts the data between the browser and the server, making it impossible to read on its journey from you to the server. However whether it is a major security problem is another question. To view the traffic somebody must have access to the servers that route your request, which isn't easy. They then have to spot your traffic amongst all the other web traffic. If it is the login for your Swiss bank account where you hid the million you made without declaring tax then it should be secure - no question. On the other hand if it is just to login to see when your books will be delivered, with no sensitive financial information then the risk is smaller and it is unlikely that anyone is trying too hard to get your login, so an insecure login carries less risk. You could always host the login page on a non secure server but post the form to a secure server. Peter -Original Message- From: Micah Stevens [mailto:[EMAIL PROTECTED] Sent: 17 January 2005 02:46 To: php-db@lists.php.net Subject: Re: [PHP-DB] Security Question If it submits to a secure server the form data will be encrypted before transmission I believe. At least that's my understanding, and that seems to be how ebay does it for example. Once you log-in, it submits to a secure page. -Micah On Sunday 16 January 2005 06:38 pm, Chris Payne wrote: Hi everyone, I have a security question, I want to see if I am right or wrong. I have programmed a system with PHP and MySQL, the main system resides on a secure server, but the client wants the login page on a NON-Secure server for marketing purposes. Am I the only one who thinks this is a major security concern? Chris -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] Security Question
From: Dylan Barber [EMAIL PROTECTED] I am accessing a database on my site from another site - I am not the only developer on the other site and there is the potential for someone to access the database for nefarious purposes from the other site. Can I somehow protect the password and still have it work? What database? I assume you mean your PHP script is logging into a remote database and you're concerned about the password being in the script? Not much you can do about it, really. You can log in over SSL (depending upon your database), which will protect the password in transit, but it's still sitting in the file. If you can't trust users on the server that you're on, find a better server. :) Or I had thought of this but I didn't know if it wuld or should work - include all my database routines in an include file and do something like include once http://domain.com/include.php; would that even work? It will work, but not like you're thinking. You'll get the _result_ of the PHP file and not the actual code. ---John Holmes... -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php