Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: searching for encrypted fields in data columns

Re: searching for encrypted fields in data columns

From: nbnet <sonnywood_at_hotmail.com>
Date: Mon, 05 Apr 2004 15:09:21 GMT
Message-ID: <BEecc.10757$Np3.360174@ursa-nb00s0.nbnet.nb.ca>


I am by no means as experienced as the rest in the DB area being a programmer in mostly web apps but.... I needed to store usernames and passwords in our db in some kind of secure mannner. I understand that if you just encrypt the password a hacker can use brute force to easily (not to me of course) find out passwords. The solution was to use a combination of the username and password, encrypt this using a key compiled into our binary and store this in the db. Do this whenever the user logs in and send the binary data to the db for comparison with the encrypted password in the db. I guess the thinking is that the hacker would have a harder time finding the password if it is made of a combination of values before encryption. One advantage is that no-one knows the key in our binary, only encrypted passwords are passed on the web, and access to the db doesn't display the password in a usable format. You could use this thinking to possibly create an encryption from the username, password and credit card number? I don't know hacker methods and don't know if this is the best way, or if you have the ability to encrypt using the username, password, card... but just food for thought.
<sffan_at_hotmail.com> wrote in message news:4042F2DF.6080800_at_hotmail.com...
> I am new to database programming and was curious how others solve the
> problem of storing encrypted in data in db table columns and then
> subsequently searching for these records.
> The particular problem that I am facing is in dealing with (privacy)
> critical information like credit-card #s and SSNs or business critical
> information like sales opportunity size or revenue in the database. The
> requirement is that this data be stored encrypted (and not in the
> clear). Just limiting access to tables with this data isn't sufficient.
> Does any database provide native facilities to store specific columns as
> encrypted data ? The other option I have is to use something like RC4 to
> encrypt the data before storing them in the database.
>
> However, the subsequent problem is how do I search/sort on these columns
> ? Its not a big deal if I have a few hundred records; I could
> potentially retrieve all the records, decrypt the specific fields and
> then do in process searches/sorts. But what happens when I have (say) a
> million records - I really don't want to suck in all that data and work
> on it but instead use the native db search/sort capabilities.
>
> Any suggestions and past experiences would be greatly appreciated.
>
> much thanks,
> ~s
>
Received on Mon Apr 05 2004 - 10:09:21 CDT

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US