jafar — 2014-07-03T08:19:01-04:00 — #1
let me explain my questions a bit more.
I want to make a simple store to sell pin codes/ vouchers , and license. I know I need to store the pin codes in a database like mysql. But I'm not sure how can I have the pin db secure.
- Is it secure to save pin codes without encryption in a mysql db? assuming we have a secure dedicated server.
- Should I encrypt / decrypt the pins? if yes, can you direct me which function or api should I use. I've heard that encrypting doesn't add security as it can be decrypted easily
- Is there any other solution? what's the best method? any open source scripts out there?
rt_ — 2014-07-03T09:03:53-04:00 — #2
No, you should aim to make your server secure, but NEVER assume it is totally secure. Security should be layered. This mistake is too common.
It sounds like you might be getting confused with hashing. Hashed content can often be easily unhashed using rainbow tables. Encrypting definately adds security. A strong encryption is almost impossible to decrypt without the key. So you need to make sure your keys are kept safe.
jafar — 2014-07-03T12:41:31-04:00 — #3
So how to keep the keys safe, having a unique key in a php file (config.php ) is enough?
mawburn — 2014-07-03T12:43:07-04:00 — #4
Are the pins for your site only or are they for 3rd parties?
If they are for your site, is there any reason why they would ever need to be decrpyted instead of just compared? Such as hashing or BCrypt.
felgall — 2014-07-03T15:57:03-04:00 — #5
In most cases encrypted data is easier to decrypt than hashed data. To decrypt encrypted data all you need is the key and the code needs to have that available in order to be able to do the decryption for use on the site.
Where the code and the database are on the same server encryption only prevents casual inspection of the data. Only where they are on completely separate servers in different data centres would encryption provide any real security.
Hashed data on the other hand is generally as secure as it can be since with a proper hash designed for the purpose it would take millions of years to construct a rainbow table to extract the data since each field would need its own completely different rainbow table. Of course hashes can only be used for passwords and similar because the system has no way to retrieve the original value that the hash was created from.
jafar — 2014-07-03T18:30:49-04:00 — #6
As the pin codes need to be shown to the user after peroccessing payment, they are sold, hashing isn't the case here. I should be able to decrypt the codes from db.
As I got, having the php source code in a separate server from db server i increase the security.
So in one server I need to store the encryption key and source code, and then connect to an external db server? Am I right?
Is it the only secure option?
How to lower the risk, if we do it in one server?
felgall — 2014-07-03T22:22:55-04:00 — #7
The encrypted copy in the database only protects against those with direct access to the database rather than via the application. Via the application the data all gets decrypted first thing.
Server security can be set up so that the database is only directly accessible from the server running the application (or not externally accessible at all when both are running on the same server). That means that they need to either break into your account (and other security measures will reduce the chance of that) or have physical access to the server.
Where the data is encrypted and someone has physical access to the server (the only way not prevented by other security measures) then if the code is on a server at the same location then that person could if they wanted to get the key and decrypt the data as they will have access to both. So encryption really only protects confidential data from being viewed accidentally while the person is doing their job maintaining the system, if they wanted to breach their conditions of employment and steal your data then having it encrypted is no protection unless the code runs on a server at a different data centre - which would make it more secure from those at the physical location but make it easier to break in remotely. Also encrypted data makes it more likely that a would be thief would target your data rather than data stored in plain text as the encryption shows that you have something worth trying to protect.
Far more important than encrypting the data in the database is the security measures to keep people from being able to access it at all such as the security measures built into your scripts to properly validate all inputs and to keep code and data separate as much as possible so as to reduce or eliminate the possibility of code injection.
rt_ — 2014-07-04T01:54:39-04:00 — #8
Thats a good point, keeping the key safe is a challenge on its own. But if you can keep the key safe, then some encryption algorithms are considered impossible to crack.
Would it not be suitable to create a new voucher code at the time when it is issued, send it to the user, and store it hashed in the database? Then the only person who knows the voucher code is the user (assuming no spyware is installed, and the user hasn't shared the voucher code with anyone else), and the only way it can be checked to be valid is against your database. The actual original voucher code is not stored anywhere, and it destroyed after it is created. To check if a users voucher code is valid, you simply hash the voucher code they give you, compare it with the hashed codes in the database, and then you can find the row with data assosiated with that voucher code and determine if it is valid.
You need to use a strong hash though, some of the common ones have rainbow tables like I said before.
b44rd — 2014-07-04T02:17:07-04:00 — #9
Always assume everything you store in a database at some time will come in hand of somebody that shouldn´t have it. Therefor, data that´s critical, should always be encrypted in a non-reversible way. Always.
jafar — 2014-07-04T03:01:36-04:00 — #10
I'm just wondering what would be the benefits of having database in a separate datacenter, if someone with physical access can see the source code on the first server. He checks the sources and get all things including encryption key, the remote database connections parameters, etc. So he does what I do to connect to the database from the first server and get all data decrypted. Am I right?
in this case to difference between 1 server or 2 server.
jafar — 2014-07-04T03:03:12-04:00 — #11
The vouchers are not generated by the system. They're premade ones, something like game codes, itunes, etc. So hashing isn't possible.
rt_ — 2014-07-04T03:35:23-04:00 — #12
How do you obtain these then? Are they insecure before you even recieve them?
jafar — 2014-07-04T05:09:31-04:00 — #13
They are in a secure database of the original providers, when I get them, I will be responsible to keep them safe in my own system.
rt_ — 2014-07-04T05:13:52-04:00 — #14
Could you simply access their database? Or do you need to have a copy?
jafar — 2014-07-04T05:17:03-04:00 — #15
No, I don't have any access to their db. I'm building my own simple store.
rt_ — 2014-07-04T08:47:40-04:00 — #16
Hmmm tricky, then I suppose encryption is your best bet. I would look into Public Key Encryption for database fields. That might help with your problem of how to keep the keys safe.
felgall — 2014-07-04T17:57:52-04:00 — #17
The only difference I can see is that with the data at a remote location the person who has access to the code is less likely to realise that you have sensitive data worth stealing in the first place.
The person at the location where the data is stored can see that it is encrypted but has no access to the key to decrypt it.