Author Topic: Encryption key management on a website  (Read 4158 times)

micah

  • A real person, on the Internet.
  • Ass Wipe
  • Posts: 6915
  • Karma: +58/-55
  • Truth cannot contradict truth.
    • micahj.com
Encryption key management on a website
« on: September 18, 2015, 02:24:31 PM »
I've done several projects in the past were I've encrypted content (both text and files) to be stored in the database or on the server.  In these cases, the data is truly encrypted and, if someone were to access just the database, or download the encrypted files they would be unreadable.

Unfortunately, encryption is only a small *part* of security, and I'd be hesitant to call any of these encrypted projects "secure."  The code they encrypts and also decrpts lives on the webserver, along with the keys.  So anyone compromising the web host could theoretically access any of the data and simply decrypt it themselves; likely even using the tools built right into the site.

So what's the answer?

I've been struggling to google the best practice, I'm probably just using the wrong search terms.  Most of the solutions I've seen don't really address the need to be able to encrypt and decrypt the information in real-time through the website.  (say, for example, I want to store a user's e-mail address encrypted, but at another time the site needs to send that user a transactional e-mail)

Thoughts?
"I possess a device, in my pocket, that is capable of accessing the entirety of information known to man.  I use it to look at pictures of cats and get in arguments with strangers."

ober

  • Ashton Shagger
  • Ass Wipe
  • Posts: 14305
  • Karma: +73/-790
  • mini-ober is taking over
    • Windy Hill Web Solutions
Re: Encryption key management on a website
« Reply #1 on: September 19, 2015, 10:22:20 AM »
Doing it at the application layer is cheap to implement but expensive to process and doesn't allow maximum flexibility. Doing it at the hardware or database level is expensive but provides the best protection and the least hit on performance.

Ultimately you need to consider what needs to be encrypted. Not everything needs to be.

I would also ask if there is some specific regulation you are trying to meet. We are doing this at work and we decided to encrypt at the hardware level.

Mike

  • Jackass In Charge
  • Posts: 11248
  • Karma: +168/-32
  • Ex Asshole - a better and more caring person.
Re: Encryption key management on a website
« Reply #2 on: September 19, 2015, 12:43:17 PM »
When dealing with security one of the most important questions you need to ask is who or what are you trying to protect against?  For example if you are worried about loss of the physical storage then disk encryption is going to be a solid choice.  If you are trying to protect against unauthorized data access through the application then I'd argue encryption wouldn't be of help.  If you are trying to protect against data access via the server (and which server?) being compromised at the OS level then you need to look at other solutions.

So, what's your threat?

ober

  • Ashton Shagger
  • Ass Wipe
  • Posts: 14305
  • Karma: +73/-790
  • mini-ober is taking over
    • Windy Hill Web Solutions
Re: Encryption key management on a website
« Reply #3 on: September 20, 2015, 04:25:47 PM »
>>If you are trying to protect against unauthorized data access through the application then I'd argue encryption wouldn't be of help

One of the biggest things we get from client audits is 'is your data encrypted at rest and in transit'.  In transit is covered by a strong SSL cert.  At rest is covered by encryption through the application layer of the stored data or hardware level encryption.  Granted, we're dealing with HIPAA data, so it's maybe a different ballgame, but if someone breaches your network you're going to maybe want that extra layer.

But I agree with the general questioning of what is the the threat.

micah

  • A real person, on the Internet.
  • Ass Wipe
  • Posts: 6915
  • Karma: +58/-55
  • Truth cannot contradict truth.
    • micahj.com
Re: Encryption key management on a website
« Reply #4 on: September 20, 2015, 05:16:57 PM »
My question was slightly theoretical as I don't currently have a request for encryption in the works...

But I've built stuff with application level encryption in the past for clients and I'm currently making some tweaks to my personal CMS platform. I'm thinking of encrypting sensitive user data, like e-mail addresses, by default but I'm wondering if its worth it.  Its nice to tell a future client, "don't worry. If someone accesses the database, all the e-mail addresses are encrypted."  But really, there's nothing stopping someone who accesses the server (which often is the same box that has the database anyway) from using the PHP encryption/decryption code to access everything anyway. 
"I possess a device, in my pocket, that is capable of accessing the entirety of information known to man.  I use it to look at pictures of cats and get in arguments with strangers."

Mike

  • Jackass In Charge
  • Posts: 11248
  • Karma: +168/-32
  • Ex Asshole - a better and more caring person.
Re: Encryption key management on a website
« Reply #5 on: September 20, 2015, 06:03:35 PM »
>>If you are trying to protect against unauthorized data access through the application then I'd argue encryption wouldn't be of help

One of the biggest things we get from client audits is 'is your data encrypted at rest and in transit'.  In transit is covered by a strong SSL cert.  At rest is covered by encryption through the application layer of the stored data or hardware level encryption.  Granted, we're dealing with HIPAA data, so it's maybe a different ballgame, but if someone breaches your network you're going to maybe want that extra layer.

But I agree with the general questioning of what is the the threat.
None of that would protect against an attack through the application.  If the attacker is logged into your application any automated encryption is going to be undone for them just like any other user.  For that you have to look at user security, access control, and ultimately logging.

That doesn't mean you don't encrypt the drives and use SSL because those cover other attack vectors.

My question was slightly theoretical as I don't currently have a request for encryption in the works...

But I've built stuff with application level encryption in the past for clients and I'm currently making some tweaks to my personal CMS platform. I'm thinking of encrypting sensitive user data, like e-mail addresses, by default but I'm wondering if its worth it.  Its nice to tell a future client, "don't worry. If someone accesses the database, all the e-mail addresses are encrypted."  But really, there's nothing stopping someone who accesses the server (which often is the same box that has the database anyway) from using the PHP encryption/decryption code to access everything anyway. 
If I were going down that road I'd start by looking at what requirements / best practices there are for storing credit card information.  That'd probably gives some practical ideas.

For the "they are in a shell on my server" type of attacks I'd do some of the following:
  • http user doesn't have a login and certs/keys are owned by that user and only the user has read access them
  • privilege escalation is locked down (control who can sudo and what commands they can run)
  • strong root user password
  • root doesn't have ssh login
  • other users have cert only ssh login


Then put the database on an encrypted partition.

Generally though I follow the thought that once they are in the system they own the system.