NYCPHP Meetup

[Michael Southwell]

At 12:18 PM 8/4/2006, you wrote:
>I'd like to back this question up to the very beginning, and ask a
>more fundamental question that's been nagging at me for several
>days...
>
>So a client comes up to you with an intent to require encrypted data
>in the database. This of course requires two-way encryption, which
>unfortunately means you gotta store the keys on the webserver to
>decrypt the data.
>
>So what additional security does this actually accomplish, and is
>there a better approach?
>
>-- Mitch

quoting from page 86 of Pro PHP Security:
-------------------------------------------------------------
Because PHP is often used for web applications, it is important to 
note that if your webserver has read access to your secret key, then 
any other script run by your webserver may have access to it (this is 
the "nobody's business" problem we discussed in Chapter 2). This 
issue can be mitigated somewhat by executing PHP with a suexec call 
that causes all scripts to be run with the userid and group of their 
owners (information is at 
http://httpd.apache.org/docs-2.0/suexec.html), but your secret is 
still only one exploit or uploaded script away from being discovered. 
This obviously has enormous security implications if you use 
symmetric encryption as demonstrated earlier with the mcrypt class, 
because anyone who manages to discover the secret key can use it to 
decrypt your data. In many situations this is going to be an 
unacceptable risk, and so we turn now to how you might use asymmetric 
encryption with PHP (using a public/private key pair) to help you 
protect secret data. As we discussed in Chapter 5, with asymmetric 
encryption a public key is used for encryption, and a corresponding 
private key for decryption.
The idea, then, is to give a public key to the webserver (in a 
configuration file, for instance), while keeping the all-important 
private key off the server. The webserver uses the public key to 
encrypt data for storing in the database, but can't decrypt that data 
because it has no access to the private key. When some data from your 
database does need to be decrypted, that task can be taken care of 
away from the web server, in an administrative environment on a 
separate server or workstation that has access to the private key.
-----------------------------------------------------------

>_______________________________________________
>New York PHP Community Talk Mailing List
>http://lists.nyphp.org/mailman/listinfo/talk
>
>NYPHPCon 2006 Presentations Online
>http://www.nyphpcon.com
>
>Show Your Participation in New York PHP
>http://www.nyphp.org/show_participation.php

Michael Southwell, Vice President for Education
New York PHP
http://www.nyphp.com/training - In-depth PHP Training Courses