I have a security related question about storing some client information - specifically their database login credentials.
My app works based on the client and so the database details need to be set at the start. My initial thought was to hold it all in a MYSQL database table but if that gets compromised, then all my clients are at risk.
I've also thought about creating a PHP array with all these details in, it would be a little harder to manage but definitely worth it in terms of security.
Are there any better alternatives out there that I'm missing?
EDIT: Request for more details
I have a MYSQL database on my host (where the app runs from) then the app needs to connect to an external database (my client's) but obviously the app needs to know all of their details.
I'm not sure that encryption is really possible, I can hash it and save it to a table but I can't reverse that so it'd have to be plain text, hence my worry about security - I'd never ever store plain text passwords in a database.
In the end as we will always control client database, I set up a secret formula that is hashed and then used as the database password and username.
Related
I wrote a web app in PHP, which is processing some secret data, placed in one database table. All fields in this table (excluding id and date of creation) are encrypted with AES, so nobody who has got access to this database can read it.
I encrypt that data with user password. There's no plain password anywhere in database, just the SHA1 sum, so I can verify it. However, I need plain password to decrypt user data when he's logged in, so I store this value in session.
Is it OK for this purpose? If not, what are the good patterns to deal with this case?
I encrypt that data with user password
If they change their password you then have to re-encrypt everything. Look into something more static for the key.
so I store this value in session.
The session should not store this type of information as anyone else with a website on the box (or any other way to access the box) may be able to read it. If your box uses something similar to suPHP or phpSuExec (ask your host) you could place this data in a directory that only your account can access. You could even store it back in the database (encrypted of course).
what are the good patterns to deal with this case?
If security is important to you, go dedicated. If you're unable to do that then at least be on a server that uses suPHP or phpSuExec or the like so that your web server processes run under a unique user so that any data related to the encryption key can be secured.
so nobody who has got access to this database can read it.
By storing your password in the session, you will have a lot of session files in your /tmp directory (or wherever they are stored...) containing users passwords.
Not only does access to your server invalidate your first statement (when you have access to the server, you have direct access to lots of passwords), but someone with server access - even a valid server admin like yourself - can see passwords he or she should never be able to see.
So no, this is not OK.
A possible solution to your problem would be to use an encryption key for the user information that is stored on a different server so that access to the database / database server alone is not enough. However, this is just a thought, you might get a better answer to that question on for example https://security.stackexchange.com/
I have created a database in mysql and multiple different php scripts to manipulate and add data to the database, and I am comfortable communicating between them using the iOS interface.
What I am interested in learning is the best way to handle a username and password login for my app. Once I have created a username and password or validated that a username and password combination is correct, what do I do?
Currently I have myself passing a user id number to the phone on login and to the server for every database transaction, but this feels like the wrong way to go about this.
Can someone explain the standard way to go about this? I have been researching cookies, which I understand to be holding something 'like' a user id number which is stored on the phone, and other information. I don't entirely understand how this is meant to work, however, and I want my service to be somewhat secure (so logging in actually means something).
Currently the user id number is always the same (id in database) so I assume that is not very secure.
I find myself in a situation where I have a set of users on a site who all have stored usernames and passwords that allow them to automatically access third party services via SOAP. The idea is that each user should only need to log in to the main site to gain access to multiple services, using their respective stored user info for each service. I feel like such data should be encrypted in my database when stored and then automatically decrypted when it's passed to the php/SOAP function when the user needs to access a given service. What would be the best way to accomplish this?
I've had a look at AES_ENCRYPT, but it seems as though the encryption and decryption makes use of a key that would have to be stored in my code, in plain text...which doesn't seem like the brightest thing to do. Anyway, this is my first time out on something like this (if you couldn't tell); if you could give me some pointers on how I should approach this, I'd really appreciate it.
Many thanks in advance
You stumbled over the biggest problem with encrypting data in the database:
➽ Where to store the key?
Encryption cannot solve the problem of securing data, it can only "concentrate" it to a key. Wherever you store the key, your application must be able to decrypt the data, so can do an attacker. There are two possible solutions to this problem i know of:
Place the key in a place as secure as you can. That means, it should surely be placed outside of the www-root directory in an inaccessible directory on the server. Depending on the importance of the data, you can also consider to outsource encryption to another dedicated server.
Don't store a key at all and derive it from the user password. This is the only really safe way, because not even the server can decrypt the data then. The cons are of course, that the user needs to enter the password every time he uses your service. If the user changes the password, you need to re-encrypt all data. If the user forgets the password, the data is lost.
P.S. I would recommend to encrypt the data before storing it to the database, because MySQL AES_ENCRYPT uses the ECB mode without an IV. This allows to search for a certain value, but is less secure (i'm pretty sure that you don't want to search by password).
I am developing a website that connects to a users MSSQL database to collect information. Users are assigned to different MSSQL database accounts and connect to them using the IP, username and password stored inside the MySQL DB.
Currently, what I've got is PHP the AES encrypts/decrypts the passwords as needed. That just doesn't seem right. It prevents you from seeing the plain text password by looking in the database (which is undeniably good) but I'm not sold on it's level of security.
Hashing is great and all if you never need the password again, but I do. So I don't really know how to go about implementing a reasonable level of security into this particular aspect of the site.
Any suggestions would be great. Am I completely wrong and being an idiot. Is there a vastly superior way to do this?
Obviously if you are sending the password over to MS SQL, you are going to need to be able to reverse the value. I would think encryption would be the most correct answer here. Either way your code will still be able to extrapolate this password, otherwise you cannot connect.
If you would like to increase the security, you can seed your encryption with a checksum calculated from the user name... however, if the user name ever changes, you will need to decrypt and re-encrypt. This will only make it a bit tougher for "others" that may know you are using AES.
But at the end of the day, you will always be able to know what the password is, since you need to decrypt. There is only so much you can do in this situation, the best would be to demand the password from the user every time it's needed.
I have a database that contains user details including sensitive data. They're not as sensitive as financial, but they are sensitive nonetheless. The passwords to the accounts are hashed and salted but the rest can only be encrypted not hashed to allow editing.
How far would you go encrypting the fields? Would you go as far as encrypting everything including generic fields like username, first name, last name, or only fields like address and phone. The first name is used frequently after the user logs in.
Can someone suggest an algorithm (with sample code if available) to encrypt the fields? I use PHP and MySQL primarily.
I wouldn't encrypt the fields at all since it's going to be a royal pain in the rear end :-)
I would instead move sensitive data to a separate table and use the security features of the DBMS itself to protect the data while still allowing access to the non-sensitive data.
In other words, have two tables (user and user_sensitive) tied together with a userID column. Let anyone peruse the user table to their hearts content but access (of any sort) to user_sensitive is restricted to admin-type bods).
And, if my DBMS didn't provide such facilities (I do not know whether MySQL does), I would move to a DBMS that did.
If you want a user to have access to their own sensitive data but not that of other users, we once implemented such a scheme in DB2 by providing a stored procedure. It retrieved all the desired rows but also checked to see which user was executing it. For rows that didn't match that user, the sensitive information was blanked out. The underlying table was fully protected from everyone except the stored procedure itself.
In order for that to work, you would have to be able to run the stored procedure under a different user from the one invoking it. Whether that's possible under MySQL, I have no idea.
I'd google for "transculent databases" - there are both printed books on the subject and some on-line resources.
There are variations of this method but basic idea is to:
encrypt only sensitive fields
encrypt with key from data only the user knows of (like login/password pair)
Password ofc must not be clearly saved in any table. Keys should be held only for session. This way the attacker doesn't have the means to decrypt information whether the database and/or the application is compromised (forgetting for a moment possibility of modifying app code and silently gathering keys).
You want to encrypt the database but still be able to access it using the application. This means that the application needs to have a way to decrypt the data. If the attacker has access to the database, it is quite likely that he will gain access to the application and figures out how to decrypt the database.
You could use transparent disk encryption. However, this only guards against physical access to the disk. It does not add much security if your server is stored somewhere safe.