Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

What's the best way to store sensitive data in MySQL?

Tags:

security

php

mysql

cryptography

encryption

I'm managing the MySQL database from PHP scripts. the communication between server and client is secured via SSL. I store user account data which is sensitive.

Is there a way to encrypt this data when entered into the DB? What is the best way to protect this sensitive data?

EDIT: I’m using a CRON job for updating data which relies on this password to login the user account. So I need a way to hash this password and to be able to get the original password for my CRON job tasks.

What’s the best way to achieve it?

Thanks

like image 449
embedded Avatar asked May 09 '10 13:05

embedded

People also ask

Which is the best way to protect the sensitive data?

How can I protect Sensitive Data? Encryption is the most effective way to protect your data from unauthorized access. Encryption can be defined as transforming the data into an alternative format that can only be read by a person with access to a decryption key.

2 Answers

Seriously, DON'T USE MySQL's aes_encrypt() It is the the most insecure method of using a block cipher. It is using ECB mode, and I can give a simple example demonstration why this is a serious mistake.

Plain text message:

alt text

The same message encrypted with ECB mode (doesn't matter what cipher you use): alt text

The EXACT same message using CBC mode (again, it doesn't matter what cipher you use): alt text

There are even more reasons not to use mysql's aes_encrypt, most notably every single query you send will also have the aes key that you use. If the database is compromised the attacker will enable logging and just get your aes key and decrypt the entire database.

So what should you use? I like this class for the time being. Its using CBC mode with a String2Key function and an IV. You can use the primary key as your IV, each message must have a unique IV. Its okay if the attacker knows the IV, and if they are sequential, so long as the block cipher implementation is secure. Reuse of an IV made WEP much less secure.

like image 181
rook Avatar answered Sep 28 '22 01:09

rook

There are encryption functions in MySQL,

http://dev.mysql.com/doc/refman/5.1/en/encryption-functions.html

For example, you can use aes_encrypt() to store data in encrypted form.

However, there are some weakness in these functions,

  1. It doesn't support IV or block-chaining. The same text always encrypts into the same ciphertext so it's not suitable for sensitive data like passwords.

  2. There is no key information so it's very hard to rotate keys.

like image 22
ZZ Coder Avatar answered Sep 28 '22 01:09

ZZ Coder
Sign in to Comment

Related questions

How to create a edit profile page for users on frontend with custom fields on wordpress?
Supervisord log file rotation settings
Laravel prevent updated_at from updating for specific query [duplicate]
Apache 2.4.9 fails after enabling ssl module and setting up ssl certificate
Deploy Symfony2 application to prod environment causes post-install-cmd exception
Call to a member function count() on a non-object (Laravel 5)
php rename() Access is denied. (code: 5)
How to make function run in background in laravel
User inputs, clean and sanitize before sending to db
How to make routes in Laravel case insensitive?
Twig accessing array key where is space (PHP allow space on the array key)
Symfony2, create querybuilder where clause, not empty or not null
Inserting with relationships in laravel
How to send a file via Axios to Laravel
php - unlink throws error: Resource temporarily unavailable
Execute constructor in trait
Trying to access array offset on value of type null
How to display HTML to the browser incrementally over a long period of time?
MySQL queries - how expensive are they really?
Static variable for optimization

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!