Geek Answers Handbook

What is the best way to save database data encrypted with user passwords?

Let's say the application has really specific data that belongs to the user, and no one should see it except the owner. I am using a MySQL database with a DataMapper ORM mapper. The application is written in Ruby on Sinatra.

Application Behavior:

  • The user is registered for the account. Creates a username and password.
  • Enter the toolbar.
  • Some fields in certain tables must be protected.

Basically, I'm looking for automatic encryption for model properties. Something like that:

class Transaction include DataMapper::Resource property :id, Serial property :value, String, :length => 1024, :encrypted => true ... etc ... belongs_to :user end

I assume encryption / decryption on the fly will cause performance problems, but that’s fine. At least if it works, I'm fine.

Any ideas how to do this?

+4
source share
7 answers

I would not store any data that relies on a user who remembers his password, and then using this password to decrypt the data. What are you going to do when the user changes his password? Decrypt / Encrypt everything? I doubt it. What if admin reset password? All data lost? Again, I doubt it.

See other links about keeping secrets, but please do not use any value for the user as part of your encryption.

+3
source

So you want to save the data encrypted in the database? First, I would ask you to think about why you need this? You should be able to write your application in such a way that only an authenticated user can get their own data.

If you really need to store encrypted data, you should also be able to decrypt (as opposed to a one-way hash), then there is a lot about encryption in ruby: http://www.example-code.com/ruby/encryption.asp

+2
source

Of course, you must encrypt / decrypt the data on the user side - otherwise there is no point in encrypted storage, since the personal data tracks are still there somewhere - in the network cache, in swap files of various kinds, etc. In addition, data can sniff Attack Man-In-The-Middle.

So what you probably want is client side encryption based on javascript. The topic is widely covered at http://javascript.about.com/library/blencrypt.htm (Rijndael encryption algorithm), and there is a large AES implementation library at http://www.movable-type.co.uk/scripts/aes. html

You must encrypt the data before submitting the form (with onClick callback to the "Submit" fe button), and then go to the server and process it as usual.

The downside is that you cannot use Rails with such data - only on the client side of javascript.

+1
source

I had to do this to encrypt sensitive data. I wrapped the pearl of a strong box and it is on github: http://github.com/bitzesty/safe

Secure Stone provides encryption of public AR attribute keys.

+1
source

You are using a one-way hash algorithm. Hash the password and save the hash. Then, when the user enters his password, you enter the entered password and compare it with the saved hashed password. If they are the same, you will skip them. If not, they are refused.

0
source

As a rule, it is incorrect to store a user password that can be used for plain text.

It is usually stored as a salt hash of either MD5 or SHA1.

So, you have a random salt, save it in the user table, and then you get a hash pass and salt, for example:

 $hash = md5(md5(salt) + pass)

I would recommend against keeping a pass that can be returned, the only way I recommend you save is with a one-way hash.

However, there are some encryption schemes that you can use, such as RSA encrytion. Thus, your application will encrypt the password of the user that he receives from the end user using your public key, and when you need to decrypt it, do it using your private key. There really is a very limited application for storing the key in this way (for example, to automatically log in to another site) and, as a rule, disapproving.

0
source

attr_encrypted can also be a solution for encryption sensitive data, works with the ruby ​​or ActiveRecord, DataMapper or Sequel class in Rails.

https://github.com/attr-encrypted/attr_encrypted

0
source

More articles:


All Articles