Jump to content
Larry Ullman's Book Forums

Recommended Posts

I was wondering in what sense is the information secure by using this linear/symetric encryption methods? Even if you hide the password or the salt they are there somewhere, in the database or in the PHP code.

 

Asymetric encryption (with public key) suffer of the same problem. As far as you have to encrypt and decrypt the information on the same site it doesn't make any difference what method you are using as far as the keys or passwords and/or salts must pe present on the same machine.

 

I am a little puzzled by this situation and I was wondering what is expected from a programmer to do in order to safely encrypt the information?

 

I guess it has something to do with the server settings. At the PHP level I am not sure, but having the code with the key either obsfurcated and encrypted by something like Zend or compiled with bcompiler... will be enough to store the key(s) on the same server? Does anybody knows ways to bind the key to specific hardware or other methods that may work? Or is ths too much?

 

I would really appreciate your input on this one. Thank you.

Link to comment
Share on other sites

Of course it makes a difference what method you're using. But security isn't a binary thing, which is either on or off. Security is on a continuum, from less secure to more, with a tradeoff of performance and convenience as you make something more secure. There is no one right answer; the goal is to find the right amount of security for the application at hand.

 

The most secure thing you can do is never possess any information. Less secure is to temporarily have it but not store it. Less secure is to store a representation of the data (i.e., a hashed version). Less secure is to store a decryptable version. Less secure is to store an un-encrypted version. Within each of these general approaches, there are choices that are also more or less secure (e.g., use SSL or not, which hashing algorithm you use, which encryption technique you use, etc.). There is no one right answer. It all depends upon the actual application.

Link to comment
Share on other sites

 Share

×
×
  • Create New...