All geek questions in one place

Best + strongest encryption method for databases

I store Paswords and personal data in a database. What is the strongest encryption method for these values ​​for protection.

Also, what is the best encryption method for credit card information in the database? Or should I use something else to store credit card information and not mysql database?

Thanks.

+6
source share
2 answers

I think storing something in SQL is fine, just encrypt it first. If you need to somehow identify the data (for example, with a unique key for writing to the database), create a randomly generated line or a secure hash and save this together with your encrypted data.

It is probably best to stick to what is checked and verified. Since this is a database (presumably for a billing system), it would be nice to have a quick search. Therefore, avoid asymmetric encryption, which you should only use to encrypt symmetric keys if you need to share it with someone.

Some specific strength (say 256 bits) of AES should be good. I would be happy to know my personal data that we provided in this way.

From the point of view of storing user passwords, it is common practice to generate a salt (random string) and then the user hash password in combination with this salt using a secure hash algorithm (RIPEMD, SHA1, MD5).

This prevents the recovery of a transcoded dictionary password cracker, as it must also handle all random salts.

Do not encrypt passwords, but only them. There is no need to recover your password in clear text, it only makes your system vulnerable with this single master key. Do not encrypt user data using keys that users can select, this will make the data unrecoverable in the event of a key loss. Provide common ways for users to regain access to their account in case they lose their passwords.

If you really need to hide usernames, you might be wondering about your data architecture. In general, personal data and, in particular, billing data should not be kept in the public eye, it should only be accessible to authorized persons. These trusted parties will need to view the contents of user names and information, so encryption is probably not necessary.

If you transmit user information on the open Internet, encrypt it.

If you are concerned about the security of user information on your database server, perhaps consider working with a cloud or data hosting provider that can provide you with additional physical security for your servers.

Encryption is only part of a strong security policy. Focus primarily on the human element of creating a safe environment in which you will run your business. Provide access to sensitive resources to know the basics. Make sure you back up some data recovery tools if all keys are lost.

+11
source

Please note that encryption is not the only thing you need to worry about when storing credit card information. There are also strict audit requirements and many other problems (see the PCI website if you are unfamiliar).

Although you will probably be able to get PCI compatibility by doing this, if you are not very familiar with the necessary security measures, you can discover huge obligations. If your system is broken or you are considered incompatible, you face severe fines.

Check out payment providers such as Authorize.net for alternative solutions. In particular, you should pay attention to the Customer Information Manager , as they will store protected data for you, such as credit card information on their servers.

+1
source

Source: https://habr.com/ru/post/901898/

More articles:


All Articles