Posted below is part of a project I am working on. The basic concept is to protect the data stored in a MySQL database even if the DB is compermised (such as the actuall server being accessed by an unauthorized employee or someone gaining access to root). I am planing on implementing this on an Intrant application I am developing.

Any comments or suggestions would be very much appriciated. Thanks in advance.

Secure Database Architecture

The purpose of the Secure Database Architecture (SDA) is to ensure that the information contained within a database will remain secure even if the database is compromised (such as an unauthorized user gaining access to the database server itself).

How it works:

When the database is initialized, the administrator will be promoted for a username, password, an encryption key, and encryption chipper. The username and password will be used to authenticate access to the system. The encryption key will be used to encrypt the encryption chipper. The encryption key will not be stored in the database, and will be set as a session variable which will need to be entered every time the user logs in to the system.

A table called Encryption Chippers will contain an entry for each user with the Encryption Chipper encrypted with that user’s encryption key.

When the system administrator creates a new user, they will designate an encryption key for this user. The system will use the administrators Encryption Key to decrypt the data stored in the administrator’s entry in the Chippers table and then make a new entry in the table for the user which has been added containing the Encryption Chipper encrypted with the new user’s encryption key.

Whenever a user adds data to the database, the system will use that user’s encryption key to decrypt their entry in the Encryption Chippers table and then add the data to the database encrypted with the Encryption Chipper.

When a user wishes to access data stored in the database, the system will decrypt their entry in the Encryption Chippers table and that will be used to decrypt the data which they have requested.

Hello Jake,

Very impressive, I would like to offer you a job with our company as we are building a new billing center and I love this idea of having everything encrypted IN the billing center's tables to ensure maximum client security and privacy of data should a system become compromised.

Please contact me by PM if you are interested.


Regards,

Chris Childers
DarkStar Communications

Chris,

Thank you for the offer however I am curentlly employed and am not seeking a job at this time.

However, I am available for contact work. If you would be interested, please send me the details of the project and I will get back to you with a quote.

-Jake Mertel

If you store additional keys in the database, this keys will be available from someone login on as root and with a proper decryption program, they can workout the encryption method you're using.

I'm going to take a deep breath here and say: I don't think at the moment there is a way to get the user password out of the databse once it has been created.

If this is correct, it will be safer to use that password as the encryption key.

Quick tought: Officialy only the user can access the data store that way.

First, the encryption method in question would be Triple DES, which is approved by the National Security Agency for use with information with a classification of Secret. It would take several hunderd years of parallel computer time to break the encryption.

Second, using the password as the encryption key would defeat the purpose of this system - which is to encrypt all the data in the database, and not have the decryption key stored anywhere.

By your logic, there would be no point in using encryption whatsoever because then someone would just brake it.

You wrote:
So the encryption key is store in the database..

I agree that encrypted the data is a good idea when needed; what I am trying to say is, if the key is store in the database - even encrypted- then the admin (root) can logon, reset the user password and access the datas as the user- thus making the hole encryption system useless.

If however,
a)you do not store the key in the database or anywhere for that matter- the user will need to write the key himself and if a tiny mistake in the key is made, since there is no verification possible, this will corrupt the data.

or b)you use the user's password as the key, anyone having root access still cannot access the data since reseting the password will automatically make the data un-recoverable.

However weird, you can reset an admin/root database password.

My impression however, is that you're trying to create a security system within the database where the user will have 2 passwords:
Username, password, Key (password2) this will be useless since anyone having full access to the server and system you're using to access the database can easily perform an "un-Crypt" on the encrypted key and then reset the user password.

Let me know if I missed something ??!

Even if someone were to gain access to the databse, they will still not be able to use any of the information. In order for them to add a new password, they will still need to know what the encryption key is to begin with.

I don't think you understand how the system works. All data is encrypted. The key to decrypt the information is also stored in the databse, but that information is encrtypted with each users "password2". In order for them to add a new user/password, they still need to know password2 to decrypt the encryption key for one of the entrys and then to reencrypt it. Even if someone logs in to the DB administration, they will not be able to just decrypt the information. The information is not going to be encrypted using traditional database-based encryption; It will be done using Tripple DES, which can not just be decrypted without a key.

Question is how do you know password2 is correct ?

Try finding the solution on http://www.encryptionkey.info/ :)

http://pink-white-black-purple.spaces.msn.com/ haha thats a good one.