Results 1 to 7 of 7
  1. #1
    Join Date
    Jan 2006
    Posts
    5

    Database Cryptography

    Hi there,
    I have searched Google but didn't found something useful.

    I want to have all data in a database stored crypted by some method.
    The desired db is Berkeley DB (BDB) but anyother will be ok too.

    The point is that I can't write cryptography functions on the client side. It must be done on the server side. It should be transparent for end user software and other programmers developing / using the same database.
    The only solution that I can think of is having a lot of before insert / before update / after select triggers that will do the actual crypting on the data entered.

    Other problem is that cryptography changes data and in lot cases changes its size. If you have a 64B text field it can became 128B after crypting.
    Other common problems are : speed and overhead, security and reliability.

    Any comments and / or links to resources will be highly appreciated.

    TIA!

  2. #2
    Join Date
    Feb 2004
    Location
    In front of the computer
    Posts
    15,579
    The encryption/decryption is usually handled at the "connection" level, usually via SSL instead of being handled directly by the database. That way all of the communication (including connection parameters, username, password, etc) is held secure, instead of only the pure data portion.

    Without knowing more about what you are trying to do, it is difficult for me to give you concrete advice. Your best bet is probably to investigate using either HTTPS: or some form of VPN such as IPSec or PPTP between the client and the server.

    -PatP

  3. #3
    Join Date
    Jan 2006
    Posts
    5
    HTTPS is fine for securing the connection but I want something else.

    The database is hosted on a server shared by multiple users.
    Is there a way to keep my data secure in case the server is compromised or there is misconfiguration that lets other users use my database, or my db username / password get compromised?

    Hope that it clears out what I am trying to do.

  4. #4
    Join Date
    Nov 2004
    Location
    out on a limb
    Posts
    13,692
    if it gets compromised then whats to stop your encode / decode function becoming compromised. if you do it in the db then the routine is equally available. if you do your encoding in the the application likewise (albeit its a different password / userid

    Assuming you are using Berkley BD, so guessing you intend to use MySQL, there is nothing that I am aware of native to MySQL that will allow you to encrypt data with confidence that it cannot be broken. by defintion you have to supply a password / decryption phrase to decode your data, and that is always capable of being compromised if your system is out of your direct control.

    MySQL does have some encryption algolrhtyms
    DECODE(str,pw) decodes value str using password pw
    ENCODE(str,pw) encodes value str using password pw
    ENCRYPT()
    MD5()
    PASSWORD()
    of the 4 options ENCODE / DECODE looks to be the best option as you can go to and from the encrypted value.
    HTH

  5. #5
    Join Date
    Jan 2006
    Posts
    5
    I am looking for something like that :
    http://www.oracle.com/technology/dep...tdocs/enc.html

  6. #6
    Join Date
    Feb 2004
    Location
    In front of the computer
    Posts
    15,579
    You can easily encrypt backups from any database. Depending on your Operating System, you can often encrypt the data on the disk. I don't see how either of those kinds of encryption helps at all with the online access to the database, since the data must be available in "clear" form for the database engine's use.

    What exactly are you hoping to gain from encryption?

    -PatP

  7. #7
    Join Date
    Nov 2004
    Location
    out on a limb
    Posts
    13,692
    Having has a quick look at California SB-1386 I'm guessing that the encode / decode options in MySQL will be the best bet. But like PatP I still think you are equally exposed if someone also gets access to you userinterface and strips off the encyption password/phrase.

    BTW I find it amazing that a legislaton can pass laws which claim to protect people in their domain by imposing duties on parties outside their domain. If they ever come looking to me under these laws I'd tell 'em to get stuffed, have never really though that much about California - be sad to never go back to the US though.......

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •