Encryption dilema

Davidc316

I've just thought of a possible loophole with some encryption shenanigans that I've been working on recently.

Here is the problem...

I, as a PHP guy, have the ability to encrypt information that has been sent from users of my website.
I do this by taking the information (submitted via a normal HTML form) and running it through an encryption function.
In order to encrypt the data in a way that's unique to me, my PHP script uses a "salt" (a secret string of letters).
In order to decrypt the message I need to insert the (same!) salt into a decryption formula.

Ok, so the salt holds the key to unlocking all this information.

Even though the salt may be hashed (jumbled up) on some database, there will come a point during the initial encryption process when the salt ABSOLUTELY MUST BE VIEWABLE IN AN INSECURE, UNENCRYPTED STATE from either the database or the script itselt (perhaps using a "$salt="bla"; statement before typing in the code for encrypting the sensitive information).

This strikes me as being a serious security weak spot.

Can anyone offer any advice on how to protect that all important salt?

AstroTeg

SSL. Let the burden of encryption rest upon the browser and server instead of PHP. Granted, this doesn't address the database, but it will address data transmitted from A to B.

I'm not sure how feasible it would be to implement your own private/public key encryption system because you'd have to rely on the client to be able to encrypt/decrypt your data and to do it in a way others can't reverse engineer from listening to the network data.

Depends on how industrial strength you're looking to go. You'll definitely want to research all your options (and I'm not an expert at this stuff so I'm probably just scratching at the surface of this problem).

drawmack

This is actually a well documented issue in the cryptography community. If you're going to do anything serious with cryptography you should get and read Practical Cryptography and Applied Cryptography - from the same authors.

Anyway here is what is generally done.

1) use private key encryption to store your salt in the database.

2) decrypt the salt, use the salt blank the salt as rappidly as possible with as few steps in between as possible.

Now I've a question if you're doing serious cryptography why are you using an letter type of salt at all. All the modern algorithms depend solely on binary keys within a certain range and to use only letters to generate binary limits your number of keys and simplifies a brute force attack.

Davidc316

Thanks for that interesting post.

In answer to your question, the salt that I'm using is a meaningless mixture of letters and numbers (not just letters). The salt string is randomly generated by a simple PHP script that I recently wrote. The salt generating script not only generates numbers and letters randomly { using the rand() function }, but it also generates the length of the string and the positions of the letters and numbers randomly.

I also have a few other tricks up my sleeve that I have been using, but I'd rather not discuss that kind of stuff on a public forum. One thing that I've learned since coming to this forum is that simply having your stuff stored on SSL is not good enough (apparently by a long shot). So, on a more positive note, I kind of feel lucky and at a slight advantage for at least being aware of some of the risks.

The book you've mentioned sounds like a beauty (I've heard a few people recommending it). Funnily enough, I was in a large bookshop a couple of weeks ago trying to find it, but I completely forgot the name and ended up being a MySQL book instead. Aaaaaaargh!

I'll probably go back to the bookshop on Saturday to have another look for it.

AstroTeg

Originally posted by Davidc316

One thing that I've learned since coming to this forum is that simply having your stuff stored on SSL is not good enough (apparently by a long shot). So, on a more positive note, I kind of feel lucky and at a slight advantage for at least being aware of some of the risks.

I wouldn't think to use SSL for storage since its a socket layer used for communicating between two points.

Remember also your weekest link may turn out to be the web server or another one of your scripts. If the server itself is compromised, it could be possible to execute your code against the encrypted data. Just something to remember...

Weedpacket

Originally posted by Davidc316
I also have a few other tricks up my sleeve that I have been using, but I'd rather not discuss that kind of stuff on a public forum.

I'm not saying you're under any obligation to do otherwise, but as the German military discovered in World War II, no encryption system can be considered secure unless it has been published and peer-reviewed 🙂.

Really, though, encryption is the easy part of security. It's how encryption is applied where things start falling over.

Davidc316

Thanks for the advice guys!

Originally posted by AstroTeg
I wouldn't think to use SSL for storage since its a socket layer used for communicating between two points.

Ooops!

What I meant to say earlier was that simply conducting your business over SSL is not entirely secure. The point I was trying to make had nothing to do with the storing of files. Sorry about that.

Weedpacket,

I'm sure you're right, but at this point in time I'm not aware of a single .com that publishes their security implimentations in detail or even discusses them in public. Why should you or I be any different?

I am certainly not declaring to the world that I have cracked the secret of how to create a site that's 100% secure. However, I am confident that I could give anyone a pretty shitty time if they wanted to steal sensitive info from one of my sites. I think that's probably the best thing we can ever hope for as far as encryption goes.

I've got a lot of respect for you, as a PHP developer, and I'd be happy to share ideas with you in private.

drawmack

You should open all algorithms used in encryption to public scrutiny. You cannot rely on lack of knowledge about the algorithm to keep your data secure. A good encryption algorithm will keep the data secure even when the attacker knows the ins and outs of the algorithm.