简体繁体 English

将敏感数据安全地存储在数据库中

[英]Storing sensitive data securely in a database

原文 2012-03-11 08:08:45 0 2 php/ mysql/ openssl

I am currently building a website for a nursing home. 我目前正在建立疗养院网站。 I have already designed a scheme to store private data in my database, but I would like your opinion about it. 我已经设计了一种在数据库中存储私有数据的方案，但是我希望您对此有意见。

Basically, I have a table patient which stores public (= non-sensitive) information about patients. 基本上，我有一个就诊patient ，它存储有关病人的公共（=不敏感）信息。 Some other information (like name, address) are private one and need to be securely stored. 其他一些信息（例如名称，地址）是私有信息，需要安全存储。 I use a public/private key pair, generated by PHP OpenSSL and sent by the website manager. 我使用由PHP OpenSSL生成并由网站管理员发送的公钥/私钥对。 The passphrase is only known by people allowed to access private data (basically, healthcare providers). 仅允许访问私人数据的人员（基本上是医疗保健提供者）知道该密码短语。 I would like to store them in an other table. 我想将它们存储在另一个表中。 First question , is BLOB the best column type (with MySQL) to store binary data. 第一个问题是BLOB是用于存储二进制数据的最佳列类型（对于MySQL）。 Or should I convert them (with base64 for example) and store them in a VARCHAR column? 还是应该转换它们（例如，使用base64 ）并将它们存储在VARCHAR列中？

My patient_secure_data table looks like this: 我的patient_secure_data表如下所示：

id          INT AUTO_INCREMENT
patient_id  INT (FOREIGN KEY to patient.id)
key         VARCHAR(63)
data        BLOB
env         BLOB

It is a key-value table, where value are sealed by openssl_seal . 这是一个键值表，其中的值由openssl_seal密封。 I need to store the third parameter ( $env_keys ) to be able to decrypt data. 我需要存储第三个参数（ $env_keys ）才能解密数据。 So second question , why do I need this env_keys if I have the passphrase of the private key when I call openssl_open ? 所以第二个问题 ，为什么我需要这个env_keys如果我有当我打电话的私有密钥的密码openssl_open ？

Third (and last) question , is it a safe database schema? 第三个（也是最后一个）问题 ，这是一个安全的数据库架构吗？ I mean, can I guarantee that nobody without passphrase can see private data? 我的意思是，我可以保证没有密码的人都不会看到私人数据吗？

Note: I will also use the same key pair to encrypt files stored on disk. 注意：我还将使用相同的密钥对来加密磁盘上存储的文件。 But database or files, I can't see any differences regarding security. 但是，数据库或文件在安全性方面看不到任何区别。

Regards, 问候，

Guillaume. 纪尧姆。

_{Sorry if my language is not perfect, I am not a native english speaker... I hope I made myself clear.} _{抱歉，如果我的语言不完美，我不会说英语。我希望我能说清楚一点。}

2 个解决方案

1 - BLOB is my preference because encoding it to base64 will increase both space and processing time (since you will have to also decode base64 before you decrypt) 1-BLOB是我的偏爱，因为将其编码为base64会增加空间和处理时间（因为解密之前您还必须解码base64）

2 - openssl_seal does not give you the key that was used to encrypt the data. 2- openssl_seal无法为您提供用于加密数据的密钥。 The purpose of env_keys is to store the encrypted form of the generated key. env_keys的目的是存储所生成密钥的加密形式 。 When you call openssl_open, you give it this envelope key and the private key that it needs to decrypt the envelope key. 调用openssl_open时，将为其提供此信封密钥以及解密该信封密钥所需的私钥。 The private key needs to be matched with the public key that was used to generate the envelope key. 私钥需要与用于生成信封密钥的公钥匹配。

3- If your private key requires a passphrase, then technically your data is relatively safe. 3-如果您的私钥需要密码，那么从技术上讲您的数据相对安全。 Even if they have the envelope key and the private key, they won't be able to use it ... but how secure is your passphrase? 即使他们具有信封密钥和私钥，也将无法使用它……但是您的密码短语有多安全？ One thing to realize is that you can almost never guarantee a fully secure scheme, but you can definitely make it tough on hackers. 要意识到的一件事是，您几乎永远不能保证一个完全安全的方案，但是您绝对可以使它对黑客很难。 Use your imagination here. 在这里发挥您的想象力。 Btw, is your passphrase in plaintext in your code? 顺便说一句，您的密码短语是纯文本形式吗？

Anything over 500chars should probably be a blob (or clob). 超过500个字符的任何内容都可能是Blob（或Clob）。
Regarding the keys, you should only store the public key in your public DB. 关于密钥，您应该只将公共密钥存储在公共数据库中。 This way you don't have to worry about anyone (passphrase or no) being able to decrypt the data. 这样，您不必担心任何人（密码短语或否）都可以解密数据。 The private part of the key should be stored in the sensitive DB. 密钥的私有部分应存储在敏感数据库中。 You only need the public part to decrypt data encrypted by the private part. 您只需要公共部分来解密由私有部分加密的数据。 I would not store the entire key (public+private) on disk of the server containing the non-sensitive information as this compromises the security of the key. 我不会将包含非敏感信息的整个密钥（公用+专用）存储在服务器的磁盘上，因为这会损害密钥的安全性。