Re: How to store encrypted data and how to store the key?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 23 June 2010 20:55, Michael Shadle <mike503@xxxxxxxxx> wrote:
> I talked with a friend who actually had this implemented before and
> banks had signed off on it after reviewing it.
>
> load balancer (irrelevant to the security piece)
>
> web server(s) - only accepts traffic to port 80/443. can only forward
> requests on to the app server, one direction.
>
> app server(s) - processes the PHP/etc. has access to the
> encryption/decryption keys. can only send established packets back to
> the webserver, and traffic to the db. cannot connect outbound to the
> net.
>
> db server(s) - stores the data. choose how you want to encrypt. they
> did not encrypt data at rest in their setup, the bank would have
> 'preferred' it but was not willing to buy the license for the
> encryption plugin. however, the app tier could handle the
> encryption/decryption.
>
> all machines were only accessable via VPN, not the WAN.
>
> due to that, assuming physical access is not an issue:
>
> if the webserver got exploited, it could only talk to the app server
> using http. it has no access to the encryption key, nor the database.
> only one direction of communication. if the app server somehow got
> exploited (someone somehow got a trojan installed) it can't
> communicate outbound, so unless they figured some creative way to make
> the app server expose information through the open port only for the
> webserver, it's useless. and to install the trojan, typically people
> fetch remote files - well, the app tier can't communicate outbound.
>
> it's pretty damn secure for a web app. you could theoretically pair
> the app server and db server on the same box - you could probably make
> that work too. depends on how large you need to scale and the
> architecture required.
>
> anyway... anyone have any comments or holes to poke in this theory?
>

I'm just wondering if this is a correct understanding:
1. plaintext data arrives on the web frontend.
2. It's sent to the app server
3. It's encrypted and sent to the DB server

Where does the data go after step 3? Does encrypted data go back out
to the app server? In which case, what's to stop me from exploiting
the web-server and then sending *bad data/commands* to the app server?

But maybe I'm taking this too far: are you only looking at security in
terms of storage? I.e. is this merely a question of avoiding dumps of
the data?

Regards
Peter

-- 
<hype>
WWW: http://plphp.dk / http://plind.dk
LinkedIn: http://www.linkedin.com/in/plind
BeWelcome/Couchsurfing: Fake51
Twitter: http://twitter.com/kafe15
</hype>

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux