Using encryption

**=?UTF-8?B?SXbDoW4gU8OhbmNoZXogT3J0ZWdh?=** · Nov 12 '08, 06:35 PM

Re: Using encryption

Alan M Dunsmuir wrote:

This is not a problem in National Security; I simply want the contents
of records in this file to remain unreadable, even by the client's IT
supervisor who can look at the contents of the (MySQL) database using
phpMyAdmin.

They'll have the DB. They'll have your code. They'll have the encription
keys.

Eventually, you'll realize that hiding the data from your clients is pretty
useless (unless you want to lock your client down, which is a Bad Thingâ„¢,
and still useless).

--
----------------------------------
IvÃ¡n SÃ¡nchez Ortega -ivan-algarroba-sanchezortega-punto-es-

El que a muchos teme, de muchos es temido.- Saavedra Fajardo.

**703designs** · Nov 12 '08, 06:45 PM

Re: Using encryption

On Nov 12, 1:29 pm, Iván Sánchez Ortega <ivansanchez-...@rroba-
escomposlinux.-.punto.-.orgwrote:

Alan M Dunsmuir wrote:

This is not a problem in National Security; I simply want the contents
of records in this file to remain unreadable, even by the client's IT
supervisor who can look at the contents of the (MySQL) database using
phpMyAdmin.

>
They'll have the DB. They'll have your code. They'll have the encription
keys.
>
Eventually, you'll realize that hiding the data from your clients is pretty
useless (unless you want to lock your client down, which is a Bad Thing™,
and still useless).
>
--
----------------------------------
Iván Sánchez Ortega -ivan-algarroba-sanchezortega-punto-es-
>
El que a muchos teme, de muchos es temido.- Saavedra Fajardo.

You could just make the data seem very boring and innocuous. A column
called "top_secret " will attract prying eyes.

Thomas

**Gordon Burditt** · Nov 12 '08, 06:45 PM

Re: Using encryption

>This is not a problem in National Security; I simply want the contents

>of records in this file to remain unreadable, even by the client's IT
>supervisor who can look at the contents of the (MySQL) database using
>phpMyAdmin.

>
>They'll have the DB. They'll have your code. They'll have the encription
>keys.

If you use public-key encryption such as RSA, they'll have the DB,
they'll have your code, and they'll have your public key. That's
not enough to decrypt the data once it's encrypted and the unencrypted
copy is erased. The private key is needed, and presumably that never
appears on the web/PHP server or the DB server.

This does not prevent them from modifying your code (or perhaps OS
or PHP code used by your code) to log an unencrypted copy of your
data someplace where they can read it. Or they could replace your
public key with theirs (but then you couldn't read your data).

**Betikci Boris** · Nov 12 '08, 10:35 PM

Re: Using encryption

On Nov 12, 8:00 pm, Alan M Dunsmuir <a...@moonrake. demon.co.ukwrot e:

In my (PHP-5) application I have to write some records to a table in my
database, which I don't want even my clients using the system to be able
to read.
>
This is not a problem in National Security; I simply want the contents
of records in this file to remain unreadable, even by the client's IT
supervisor who can look at the contents of the (MySQL) database using
phpMyAdmin.
>
I intend, periodically, to download these records to my local machine,
where I plan to decrypt and analyse them.
>
I am running my application on a commercial Web server where the wcrypt
(?) library has not been implemented.
>
What do I do?
>
I think I need an asymmetric encryption algorithm so that I can decrypt
the records locally without providing any hints on keys to the Web
Server, and I would ideally like look for something implemented as a PHP
Class on the Web Server so that I do not impinge on the limitations of
his PHP installation.
>
Help, please.

Thats why AES_ENCRYPT() and AES_DECRYPT() mysql functions stands for..
This is a database question for more info, go and ask Comp.Mysql.*
and www.mysql.com

You can not use PHP for an encryption-decryption algo. as php source
files stand ready to read in the server..
There is a encryption - decryption function in a post so search this
group carefully..

**mijn naam** · Nov 12 '08, 10:55 PM

Re: Using encryption

"703designs " <thomasmallen@g mail.comschreef in bericht
news:900a0b07-939c-4a2b-8e25-2a54d95665f1@s9 g2000prg.google groups.com...

You could just make the data seem very boring and innocuous. A column
called "top_secret " will attract prying eyes.

So you have one column 'top_secret', containing interesting looking garbage,
and one innocent name containing the real stuff :-)

Seriously: Would I encounter someone on my team who thinks he needs to hide
something from me, I would want to know 'what and why'. I would probably not
need to ask 'how long', as that would be my discretion and it would not be
long lasting.

**thind** · Nov 12 '08, 11:05 PM

Re: Using encryption

On Wed, 12 Nov 2008 14:32:23 -0800 (PST), Betikci Boris
<pardust@gmail. comwrote:

>
>Thats why AES_ENCRYPT() and AES_DECRYPT() mysql functions stands for..
>This is a database question for more info, go and ask Comp.Mysql.*
>and www.mysql.com

asymetric he said

**=?UTF-8?B?SXbDoW4gU8OhbmNoZXogT3J0ZWdh?=** · Nov 12 '08, 11:35 PM

Re: Using encryption

Gordon Burditt wrote:

If you use public-key encryption such as RSA, they'll have the DB,
they'll have your code, and they'll have your public key.

I'm assuming that the application will write *and* read data from the DB.
Thus (in this scenario), they'll have the DB, they'll have the code,
they'll have the public key, and they'll have the private key.

I agree with most of the replies in the thread so far. And I do recommend
anyone that wants to do some gratuitous encription to feel safer (that's
you, Alan) to read some literature by Kevin Mitnick and Bruce Schneier. I
mean it.

Cheers,
--
----------------------------------
IvÃ¡n SÃ¡nchez Ortega -ivan-algarroba-sanchezortega-punto-es-

Proudly running Debian Linux with 2.6.26-1-amd64 kernel, KDE 3.5.9, and PHP
5.2.6-5 generating this signature.
Uptime: 23:49:28 up 83 days, 12:45, 4 users, load average: 0.36, 0.52,
0.61

**C. (http://symcbean.blogspot.com/)** · Nov 13 '08, 05:55 PM

Re: Using encryption

On 12 Nov, 22:32, Betikci Boris <pard...@gmail. comwrote:

On Nov 12, 8:00 pm, Alan M Dunsmuir <a...@moonrake. demon.co.ukwrot e:
>
>
>

In my (PHP-5) application I have to write some records to a table in my
database, which I don't want even my clients using the system to be able
to read.

>

This is not a problem in National Security; I simply want the contents
of records in this file to remain unreadable, even by the client's IT
supervisor who can look at the contents of the (MySQL) database using
phpMyAdmin.

>

I intend, periodically, to download these records to my local machine,
where I plan to decrypt and analyse them.

>

I am running my application on a commercial Web server where the wcrypt
(?) library has not been implemented.

>

What do I do?

>

I think I need an asymmetric encryption algorithm so that I can decrypt
the records locally without providing any hints on keys to the Web
Server, and I would ideally like look for something implemented as a PHP
Class on the Web Server so that I do not impinge on the limitations of
his PHP installation.

>

Help, please.

>
Thats why AES_ENCRYPT() and AES_DECRYPT() mysql functions stands for..
This is a database question for more info, go and ask Comp.Mysql.*
andwww.mysql.co m
>
You can not use PHP for an encryption-decryption algo. as php source
files stand ready to read in the server..
There is a encryption - decryption function in a post so search this
group carefully..

Wrong on both counts.

The MySQL implemented algorithms are both symmetric therefore you
can't use them without exposing the decryption key.

There's nothing to stop you using assymetric (pub key) encryption -
IIRC there are a couple of pure PHP implementations of RSA

C.

**Alan M Dunsmuir** · Nov 14 '08, 01:05 PM

Re: Using encryption

C. (http://symcbean.blogspot.com/) wrote:

>
There's nothing to stop you using assymetric (pub key) encryption -
IIRC there are a couple of pure PHP implementations of RSA
>
C.

How I love this NewsGroup!

I tend to get very good technical information from it (Thanks, Colin
McKinnon - a great Scots name, by the way! - for the definitive answer
this time), but as usual I have had to wade through a morass of
sanctimonious and plain mis-directing twaddle to get there.

From "I can't see why you would want to keep anything hidden from your
clients" (I'd keep my lack of ability at lateral thinking a bit less
public, if I were you, lad), through "there are a couple of MySQL
functions to do what you want" (where had I even mentioned MySQL, and
shouldn't you learn the difference between symmetric and asymmetric key
systems before you pontificate?) to "I don't believe PHP can handle
asymmetric keys - they're too computing intensive".

As it happens, Kaled al-Shamaa has published a perfectly acceptable
implementation of RSA at www.phpclasses.org/browse/package/4121.html.
Just because he chooses to use sample sentences for encoding which are
written in Arabic doesn't mean definitvely that he is an al-Qaeda agent,
guys. He's not going to take over your machines.

Using encryption

Using encryption

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment