I have an idea. First create a master key that the ssn ar encrypted with. Store the master key encrypted with a key accessible by users (mksk). Every user stores the key (mksk) to decrypt the (master key) and the mksk should be ecrypted with there password as key. And when a new user is created the system uses the mksk that the the admin who create the user uses. This has the advantage that you can re-encrypt the ssn table and the only key you have to change is the master key. ********************************************** Hans Åhlin Tel: +46761488019 icq: 275232967 http://www.kronan-net.com/ irc://irc.freenode.net:6667 - TheCoin ********************************************** 2010/8/12 tedd <tedd@xxxxxxxxxxxx> > At 5:30 PM -0700 8/11/10, Daevid Vincent wrote: > >> > -----Original Message----- >> >>> 2. Were told it was a social security number >>> (i.e., in the form of 123-45-6789). >>> >> >> Stop. >> >> Why are you even contemplating storing SS# ?? >> > > Daevid et al: > > Why? Because my client wants to store SS numbers on their online system to > aid them in their collection business. > > You see, the client in this case is not asking people for their SS numbers, > but rather trying to collect unpaid debts. Their clients (i.e., creditors) > have provided them debtor data, which may/may not include SS numbers. > > My current thoughts are that the entire process will be behind a password > protected section of a web site where only the people working for the firm > will have access. The point of the system will be to aid collectors in their > collection efforts and to allow them to conduct business anywhere they can > find Internet access. > > Of course, this will not stop employees from abusing the data, but that > possibility also exist in the hard-copy only office as well -- that's a > criminal act and will be handled accordingly. The difference here is that > the data can be accessed online via password authorization. Is that too > easy? > > My effort here with my "Encryption/Decryption Question" is to focus on the > event that the web site may hacked and access to the database is provided to > an intruder. In such case, then the SS numbers residing there should be > encrypted and that was my current quest to resolve. > > Now, if federal law prohibits storing SS numbers in an online database > that's accessible via password authorization then that's "end-of-story". > I'll simply tell the client that federal law prohibits such practice and > that will be the end of it -- it makes no difference to me. > > However, if the practice of storing SS number online is not prohibited by > law, then what are the appropriate "due diligence" steps necessary to > protect such data? > > Cheers, > > tedd > > > -- > ------- > http://sperling.com/ > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > >
