如何安全地存储加密密钥? [英] How to store the encryption key safely?
问题描述
我的风险管理团队要求我们将所有数据加密后再存入数据库。
从那时起,我一直在研究如何保护数据进出数据库。
我找到了几个方法之一,其中一个是 MySQL加密软件
第二个解决方案是使用 AES_ENCRYPT() AND AES_DECRYPT()。但是,为了能够对数据进行加密和解密,我将需要创建128,196或256位密钥。然后每次我想执行 INSERT / UPDATE 我将调用 AES_ENCRYPT()并提供一个加密密钥数据。然后当我执行 SELECT 然后我将不得不调用 AES_DECRYPT()并提供相同的键将数据转换为一个纯文本。
这意味着我必须在我的PHP脚本中定义一个具有私钥的变量,以便我可以通过将定义的变量提供给 AES_ENCRYPT()和 AES_DECRYPT()
我的问题是
在哪里/如何存储这个私钥以防止黑客阅读它。如果有人窃取我的服务器读取密钥,那么他可以简单地读取数据,加密将意味着更少。
什么是保护我的数据的最佳方法?
谢谢
如果你隐藏你的密钥和黑客获得您的PHP代码,黑客可以执行以下操作:
A。回显/打印KEY(它是一个变量)。他不需要找到你定义的代码,他可以查找你使用的代码。
B。忘记关于KEY,并使用您自己的解密函数来查看数据并将其导出。
大多数黑客攻击都是利用您的PHP代码,您应该保护您的计算机,系统和数据库。
使用MYSQL存储过程
只有经过身份验证的用户才能获得密钥您可以这样做...在MYSQL STORED PROCEDURE中隐藏KEY,并且只有当用户完成登录时才给用户密钥。数据库中的所有数据都应该被加密,并且密钥不能作为普通的存储数据访问。它应该在SQL存储过程中,具有密码的用户将作为查询结果获得。用户表不应该被加密,只能用密码作为一种方式。
最后一个解决方案只适用于经过身份验证的用户,例如应用程序。您可以使用此解决方案轻松保护用户个人资料。
用户(基本数据) - >个人资料(所有依赖于登录的个人资料)
我不太了解存储过程,但肯定可以将其应用于整个数据库,并使数据只能通过它们访问。
看看这篇文章:
http:// www。 sitepoint.com/stored-procedures-mysql-php/
你会在这里找到PROS和CONS:
http://code.tutsplus.com/articles/ a-introduction-to-stored-procedures-in-mysql-5-net-17843
I am using MySQL as a back end storage. I was asked by our risk management team to encrypt all the data prior storing it into the database.
Since then I have been doing research on how to secure the data going in and out the database.
I found couple ways one of them was MySQL Encryption Software
A second solution was to encrypt and decrypt data in MySQL using AES_ENCRYPT() AND AES_DECRYPT(). But I will need to create a 128,196 or 256 bit key in order to be able to encrypt and decrypt the data. Then every time I want to execute INSERT/UPDATE I will call AES_ENCRYPT() and supply it with a key to encrypt the data. Then when I execute SELECT then I will have to call AES_DECRYPT() and supply the same key to convert the data to a plain text.
This means that I will have to define a variable in my PHP script that have the private key so I can encrypt/decrypt by supplying the defined variable to both AES_ENCRYPT() and AES_DECRYPT()
My question is Where/How to a store this private key to prevent a hacker from reading it. if someone hacks my server reads the key then he can simply read the data and the encryption would be mean less.
And what is the best way to go about securing my data?
Thank you
If you hide your key and the hacker gets to your PHP code the hacker could do the following:
A. Echo/Print the KEY (it's a variable). He doesn't have to find the code where you define it, he could look for the function where you use it.
B. Forget about the KEY and use your own decrypting function to see the data and export it.
Most of the hacks are exploits to your PHP code, you should secure your computer, system and database.
Use MYSQL Stored Procedures
If only an authenticated user can get the key you could do this... Hide the KEY in a MYSQL STORED PROCEDURE and only give the key to the user when he completes the log in. All the data in the database should be encrypted and the key is not accesible as plain stored data. It should be inside the SQL Stored Procedure that a user having a password will get as query result. Users table should not be encrypted, only the password as one way.
This last solution should work only for authenticated users, like apps as example. You could protect the user profiles easily with this solution.
Users (basic data) --> Profiles (all personal details that depend upon log in)
I don't know much about stored procedures, but for sure you could apply it to the entire database and make your data accesible only through them.
Look at this article: http://www.sitepoint.com/stored-procedures-mysql-php/
And you will find PROS and CONS here: http://code.tutsplus.com/articles/an-introduction-to-stored-procedures-in-mysql-5--net-17843
这篇关于如何安全地存储加密密钥?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
