Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
Home -> Community -> Usenet -> c.d.o.server -> Re: searching for encrypted fields in data columns
I am by no means as experienced as the rest in the DB area being a
programmer in mostly web apps but.... I needed to store usernames and
passwords in our db in some kind of secure mannner. I understand that if you
just encrypt the password a hacker can use brute force to easily (not to me
of course) find out passwords. The solution was to use a combination of the
username and password, encrypt this using a key compiled into our binary and
store this in the db. Do this whenever the user logs in and send the binary
data to the db for comparison with the encrypted password in the db. I guess
the thinking is that the hacker would have a harder time finding the
password if it is made of a combination of values before encryption. One
advantage is that no-one knows the key in our binary, only encrypted
passwords are passed on the web, and access to the db doesn't display the
password in a usable format. You could use this thinking to possibly create
an encryption from the username, password and credit card number? I don't
know hacker methods and don't know if this is the best way, or if you have
the ability to encrypt using the username, password, card... but just food
for thought.
<sffan_at_hotmail.com> wrote in message news:4042F2DF.6080800_at_hotmail.com...
> I am new to database programming and was curious how others solve the
> problem of storing encrypted in data in db table columns and then
> subsequently searching for these records.
> The particular problem that I am facing is in dealing with (privacy)
> critical information like credit-card #s and SSNs or business critical
> information like sales opportunity size or revenue in the database. The
> requirement is that this data be stored encrypted (and not in the
> clear). Just limiting access to tables with this data isn't sufficient.
> Does any database provide native facilities to store specific columns as
> encrypted data ? The other option I have is to use something like RC4 to
> encrypt the data before storing them in the database.
>
> However, the subsequent problem is how do I search/sort on these columns
> ? Its not a big deal if I have a few hundred records; I could
> potentially retrieve all the records, decrypt the specific fields and
> then do in process searches/sorts. But what happens when I have (say) a
> million records - I really don't want to suck in all that data and work
> on it but instead use the native db search/sort capabilities.
>
> Any suggestions and past experiences would be greatly appreciated.
>
> much thanks,
> ~s
>
Received on Mon Apr 05 2004 - 10:09:21 CDT