管理员甚至可以使用双向DB加密 [英] Two way DB encryption secure even from the Admin
问题描述
数据库包含敏感的用户信息。因此,用户信息必须被加密(双向加密)。用户有一个登录/密码,这些可以用于双向加密。现在,加密的设计方式应使得即使是查看数据库表的管理员也不能理解用户信息。
但是,设计必须照顾用户可能忘记密码的情况。如果密码用于加密,则忘记密码意味着信息丢失 - 不需要。如果用户密码本身使用脚本中硬编码的密钥使用双向算法(而不是单向散列)存储在数据库中,则管理员可以通过查看脚本来发现硬编码的密钥(管理员当然具有访问权限有人知道这个吗?
PS:这是一个真实的问题。我的公司是绝对的安全狂热(ISO 27001和全部),我被委托设计一个具有上述功能的系统。顺便说一句,我正在使用PHP脚本和MySQL。
编辑:或许早先不清楚,用户需要看/
你想要的是一个恢复代理。加密所有数据两次:一次用用户密钥,一次用恢复代理(公共)键;至少后者需要是不对称的。使用正式的访问协议(例如四眼原则)将恢复代理密钥保存在安全的pyhsical中。通常,管理员无法访问加密数据,但是如果用户丢失了密钥,并且恢复被授权,则获得恢复密钥。
还有一些方法加密恢复代理的密钥,以便m-out-of n人必须同意使用它。
修改:一个实现策略是加密一次两次。或者,对于需要独立恢复的每个数据集,创建一个新的对称密钥,并仅加密该密钥两次;原始数据仅使用会话密钥进行加密。这种方法可以扩展到多个独立的读者;它需要每个阅读器的非对称密钥(以便您可以使用所有读取器的公钥加密会话密钥 - 一个是恢复代理)。
我将术语从Microsoft的加密文件系统已实施该方案。
I have an interesting encryption problem at hand. I do not know if it can be solved but here goes:
A database is to contain sensitive user information. As such, the user information must be encrypted (two way encryption). The user has a login / password and these may be used in the two way encryption. Now, the encryption is to be designed in such a way that even the administrator viewing the database tables should not be able to make sense of the user information.
However, the design has to take care of the cases where the user may forget her password. If the password is used for encryption, forgetting the password means the information is lost - not wanted. If the user password itself is stored in the database using a two way algorithm (instead of a one way hash) with a key hardcoded in the script, the administrator can discover the hardcoded key by looking at the script (the administrator of course has access to the script).
Does anybody know a way out of this?
PS: This is a real problem. My company is an absolute security fanatic (ISO 27001 and all) and I have been entrusted to design a system with the above mentioned functionality. By the way, I am using a PHP script and MySQL.
EDIT: Perhaps it was not clear earlier, the user needs to see / edit this user information on a day-to-day basis.
What you want is a recovery agent. Encrypt all data twice: once with the user key, once with the recovery agent (public) key; atleast the latter one needs to be asymmetric. Keep the recovery agent key in a pyhsical safe, with a formal access protocol (e.g. four eyes principle). Usually, the administrator cannot access the encrypted data, but if the user loses the key, and recovery is authorized, then the recovery key is obtained.
There are also ways to encrypt the recovery agent's key so that m-out-of-n people have to agree to use it.
Edit: One implementation strategy is to encrypt everything twice. Alternatively, for each data set that needs to be recoverable independently, create a fresh symmetric key, and encrypt only that key twice; the original data get encrypted only with the session key. That approach can extend to multiple independent readers; it requires asymmetric keys per reader (so that you can encrypt the session key with the public keys of all readers - one being the recovery agent).
I copied the terminology from Microsoft's Encrypting File System, which has that scheme implemented.
这篇关于管理员甚至可以使用双向DB加密的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
