Home page logo

webappsec logo WebApp Sec mailing list archives

RE: RDB-based secure data storage
From: "Klevitsky, Alexander" <AKlevitsky () MIB com>
Date: Thu, 13 May 2004 09:37:56 -0400

Did you look at translucent databases approach? 

A. Klevitsky 
Director of Systems Architecture 
MIB Group, Inc. [Knowledge to Drive Decisions] 
160 University Avenue 
Westwood, MA  02090-2307 
TEL: (781) 751-6469 
FAX: (781) 329-3379 

The protective value of MIB's core fraud detection service 
to the life insurance industry is $46 saved in excess mortality risk for every dollar spent on the service as detailed 
by a study from an industry leading actuarial firm.

-----Original Message-----
From: Calum Power [mailto:enune () fribble net]
Sent: Thursday, May 13, 2004 2:03 AM
To: webappsec () securityfocus com
Subject: RDB-based secure data storage

G'day webappsec,

I have been asked by my employer to design a system for storing sensative
private data collected from the company's clients. They tell me that this
data MUST be very secure, yet clients must be able to update the
information themselves via a Web-based interface.

My immediate reaction was to use something like GPG/PGP to encrypt the
data before storing it in a RDBMS like MySQL. However this then has the
additional problem of needing the user to edit the data.

My next thought would be to have each clients 'username' be a public GPG
key, and their 'password' be the passphrase to this private key. This of
course would not be overly secure, and the 'administrator' of this would
not be able to update the information without using the users' password.

So, I was just wondering if anyone had come across the same problem.
Perhaps there's a method of encryption that I'm overlooking.



Calum Power
Cultural Jammer
Security Enthusiast
Hopeless Cynic

enune () fribble net

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]