Using encryption

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
In my (PHP-5) application I have to write some records to a table in my
database, which I don't want even my clients using the system to be able
to read.

This is not a problem in National Security; I simply want the contents
of records in this file to remain unreadable, even by the client's IT
supervisor who can look at the contents of the (MySQL) database using

I intend, periodically, to download these records to my local machine,
where I plan to decrypt and analyse them.

I am running my application on a commercial Web server where the wcrypt
(?) library has not been implemented.

What do I do?

I think I need an asymmetric encryption algorithm so that I can decrypt
the records locally without providing any hints on keys to the Web
Server, and I would ideally like look for something implemented as a PHP
Class on the Web Server so that I do not impinge on the limitations of
his PHP installation.

Help, please.

Re: Using encryption

Alan M Dunsmuir wrote:

Quoted text here. Click to load it

They'll have the DB. They'll have your code. They'll have the encription

Eventually, you'll realize that hiding the data from your clients is pretty
useless (unless you want to lock your client down, which is a Bad Thing™,
and still useless).

Iván Sánchez Ortega -ivan-algarroba-sanchezortega-punto-es-

El que a muchos teme, de muchos es temido.- Saavedra Fajardo.

Re: Using encryption

On Nov 12, 1:29=A0pm, Iv=E1n S=E1nchez Ortega <ivansanchez-...@rroba-> wrote:
Quoted text here. Click to load it

You could just make the data seem very boring and innocuous. A column
called "top_secret" will attract prying eyes.


Re: Using encryption

Quoted text here. Click to load it

So you have one column 'top_secret', containing interesting looking garbage,
and one innocent name containing the real stuff :-)

Seriously: Would I encounter someone on my team who thinks he needs to hide
something from me, I would want to know 'what and why'. I would probably not
need to ask 'how long', as that would be my discretion and it would not be
long lasting.

Re: Using encryption

Quoted text here. Click to load it

If you use public-key encryption such as RSA, they'll have the DB,
they'll have your code, and they'll have your public key.  That's
not enough to decrypt the data once it's encrypted and the unencrypted
copy is erased.  The private key is needed, and presumably that never
appears on the web/PHP server or the DB server.

This does not prevent them from modifying your code (or perhaps OS
or PHP code used by your code) to log an unencrypted copy of your
data someplace where they can read it.  Or they could replace your
public key with theirs (but then you couldn't read your data).

Re: Using encryption

Gordon Burditt wrote:

Quoted text here. Click to load it

I'm assuming that the application will write *and* read data from the DB.
Thus (in this scenario), they'll have the DB, they'll have the code,
they'll have the public key, and they'll have the private key.

I agree with most of the replies in the thread so far. And I do recommend
anyone that wants to do some gratuitous encription to feel safer (that's
you, Alan) to read some literature by Kevin Mitnick and Bruce Schneier. I
mean it.

Iván Sánchez Ortega -ivan-algarroba-sanchezortega-punto-es-

Proudly running Debian Linux with 2.6.26-1-amd64 kernel, KDE 3.5.9, and PHP
5.2.6-5 generating this signature.
Uptime: 23:49:28 up 83 days, 12:45,  4 users,  load average: 0.36, 0.52,

Re: Using encryption

Quoted text here. Click to load it

Seriously, if you don't trust the web hosting company not to look at
your data or contractually can't allow the data to be viewable by the
web hosting company, maybe you need to look at a non-shared option.  
Co-location host that you configure and run would probably be a better

In a shared environment, the best you can do is a one-way crypt().  The
code that encrypts the clear text will be on your system along with the
embedded password.  It won't do them any good because there's no way to
decrypt the data.  At best you supply the clear-text, crypt() and
compare.  This is what's used for passwords in a shared environment.

To do a private/public key encryption in php is probably unworkable,
from a performance (it's interpreted and CPU hog) and a practical point
of view.  You'll probably have write this sort of solution.

Got code?

DeeDee, don't press that button!  DeeDee!  NO!  Dee...
[I filter all Goggle Groups posts, so any reply may be automatically by ignored]

Re: Using encryption

Quoted text here. Click to load it

Thats why AES_ENCRYPT() and AES_DECRYPT() mysql functions stands for..
This is a database question for more info, go and ask Comp.Mysql.*

You can not use PHP for an encryption-decryption algo. as php source
files stand ready to read in the server..
There is a encryption - decryption function in a post so search this
group carefully..

Re: Using encryption

On Wed, 12 Nov 2008 14:32:23 -0800 (PST), Betikci Boris

Quoted text here. Click to load it

asymetric he said

Re: Using encryption

Quoted text here. Click to load it

Wrong on both counts.

The MySQL implemented algorithms are both symmetric therefore you
can't use them without exposing the decryption key.

There's nothing to stop you using assymetric (pub key) encryption -
IIRC there are a couple of pure PHP implementations of RSA


Site Timeline