堆栈内存溢出
  简体   繁体   English

在由第三方托管的MySQL服务器中存储加密的机密数据的最佳做法是什么?

[英]What are best practices storing confidential data encrypted in 3-rd-party-hosted MySQL servers?

 原文  2010-05-22 23:14:39       php/ mysql/ security/ hosting/ privacy

问题描述

I am developing (as A PHP 5.2 + MySQL application) a personal information manager web application for my own which is meant to be hosted on a shared hosting (like bluehost or dreamhost) and to store lots of very confidential personal data including those like passwords, personal private keys, financial details, contacts, etc. How do I best protect this data? 我正在为我自己开发(作为PHP 5.2 + MySQL应用程序)个人信息管理器Web应用程序,该应用程序应托管在共享主机(例如bluehost或dreamhost)上,并存储很多非常机密的个人数据,包括密码,个人私钥,财务详细信息,联系人等。如何最好地保护此数据?

I see the folowing weak points: 我看到了以下缺点:

  1. Physical access to host by hackers or hosting administrators. 黑客或托管管理员对主机的物理访问。
  2. Sniffing the decrypted data between the host and the client. 在主机和客户端之间嗅探解密的数据。
  3. Sniffing the decrypted data on the host before it is actually sent. 在实际发送之前,先在主机上嗅探解密的数据。

And obvious solutions: 显而易见的解决方案:

  1. Encrypt and decrypt on client side (in a JavaScript or Java applet), a server operates with already encrypted data only. 在客户端(在JavaScript或Java applet中)进行加密和解密,服务器仅使用已加密的数据进行操作。
  2. Use HTTPS. 使用HTTPS。
  3. See §1. 参见§1。

Are there any better ideas and known good implementations, incl. 是否有更好的想法和已知的良好实现,包括。 any frameworks out there? 有任何框架吗?

I am interested in the following languages: PHP (5.3 or 5.2), Ruby, C#4, JavsScript (Firefox 3.7), Java (1.6). 我对以下语言感兴趣:PHP(5.3或5.2),Ruby,C#4,JavsScript(Firefox 3.7),Java(1.6)。

3 个解决方案

解决方案1
 1  2010-05-22 23:23:54

To my knoledge, you do not have many option here: 就我所知,您在这里没有太多选择:

  • use the OS native solution (if any). 使用操作系统本机解决方案(如果有)。 GNU/linux has something. GNU / linux有一些东西。

  • use third-party solution. 使用第三方解决方案。 The one I know best is Gazzang 我最了解的是Gazzang

But you should not restrict your setup to just one of these solution. 但是,您不应该将设置仅限制为这些解决方案之一。 Security is more than just encrypting data files. 安全不仅仅是加密数据文件。 You should also take care who can access your database server, etc. 您还应该注意谁可以访问您的数据库服务器等。

解决方案2
 0  

What I think is that you can never trust on shared hosting. 我认为您永远无法信任共享托管。 They have access to it and view it at their free will but this is not most likely/should be done, however you are definitely on a risk of sharing your data already . 他们可以访问它,并认为它在他们的自由意志,但这不是最有可能/应该做的,但是你绝对就已经共享您的数据的风险。

On the coding part though, you should take care of security issues such as sql injection and storing password using some encryption algorithm. 但是在编码部分,您应该注意安全性问题,例如sql注入和使用某种加密算法存储密码。

解决方案3
 0  2010-05-22 23:25:54

If you don't trust your hoster, you have to encrypt your sensitive data with a strong cipher at your local machine and store only the cryptogram in the database of the hoster. 如果您不信任托管者,则必须在本地计算机上使用强密码对敏感数据进行加密,并将密码仅存储在托管者的数据库中。

Everything else could expose your sensitive data to the hoster. 其他所有可能会将您的敏感数据暴露给托管人。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 将PHP会话数据存储在数据库中的最佳做法是什么? - What are the best practices for storing PHP session data in a database? Qualtrics第三方附加最佳实践 - Qualtrics 3rd Party Add-On Best Practices MySQL 和存储加密的用户数据 - MySQL and Storing encrypted User Data PHP / MySQL:最佳资金运营/存储实践? - PHP/MySQL: Best money operations/storing practices? 存储第三方凭证 - Storing 3rd Party Credentials 在 mysql 中存储关注、关注、喜欢数据的最佳方式是什么 - What is the best way of storing following,followers,likes data in mysql 在MySQL中搜索加密数据的最佳方法 - Best way to search encrypted data inside MySQL 使用php和mysql存储和选择时间/日期的最佳做法? - Best practices for storing & selecting time/date with php & mysql? 存储,修改和检索用户信誉数据的最佳实践 - Best practices storing, modifying and retrieving user reputation data 存储纬度和经度的最佳mysql数据类型是什么? - What is the best mysql datatype for storing latitudes and Longitudes?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM