NYCPHP Meetup

NYPHP.org

[nycphp-talk] Encrypt and decrypt to store in DB

Kenneth Downs ken at secdat.com
Fri Aug 4 14:00:56 EDT 2006


Dan Cech wrote:

>That is pretty much the problem in a nutshell.  Any kind of 2-way
>encryption on a single server is going to require that the key be
>present on the system and therefore vulnerable to attack.
>
>I wish I had a silver bullet answer to this problem, but at this point
>the only advice I can give is that in this situation the security of the
>data is only as good as the security of your system and application,
>regardless of whether it is encrypted on disk or not.
>
>  
>
I haven't seen the point of basic server security brought up in this 
thread, so forgive me if I am repeating this, but security in a server 
ultimately rests on the use of a server's ability to grant various 
permissions to various users.

Many applications are written to connect to a database as a superuser 
and then implement security in the PHP layer.  If this is the case, this 
is a far more serious security problem.  If regular user accounts are 
used and assigned various permissions, then you have the strength of the 
db server security protecting the data.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ken.vcf
Type: text/x-vcard
Size: 186 bytes
Desc: not available
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20060804/063d8952/attachment.vcf>


More information about the talk mailing list