Ancient Cryptography

November 24, 2024, 12:32:24 AM
Welcome, Guest. Please login or register.


Ancient Cryptography » General » Just About Anything » Encapsulating encryption and structure in databases

Author Topic: Encapsulating encryption and structure in databases  (Read 5912 times)

0 Members and 1 Guest are viewing this topic.

robertolofaro

  • Newbie
  • Posts: 3
    • just a profile website
Encapsulating encryption and structure in databases
« on: February 28, 2010, 07:00:20 AM »
for few years I had online various websites using a database structure encrypting both the structure and the data, so that neither the hosting nor the DBA can see the logic or the data structure (and, of course, the data content)

it was written in (obfuscated) PHP, and implemented as a data layer on MySQL

the concept arised from observing that, in late 1980s, when building DSS (decision support system) models, often the issue was that the data administrator had no access to the data content, but in models, the data structure was revealing the logic of the model

using hosting providers, this was complicated by some instances when the provider also offered consulting services- and more than a colleague reported quarrels with providers' employees "lifting" ideas for their own sites, from both the PHP code and the MySQL data structure

I am currently thinking either of cleaning it up and open sourcing on my website (I had tested it few years ago with a community of users scattered worldwide, building on top of it a PHP-based "news dashboard" and messaging system), or developing it into an application framework

as I said- the basic logic is making it portable, hiding the data structure by having "data constructs", and having the data encrypted not by just using the local "crypt" functions, but a combination of external and user-side+user-provided keys

I wrote "polish it", because, despite being since my early programming days (sold the first visual program while in high school) addicted to comments in code, I would prefer to clean the code and add proper documentation

The system had its own streamlined version of XML embedded, I called it "associative encrypted database", and I had designed a version to use the vectorial facility inside the Playstation2 to create a faster version, but I never had the time to prototype the Playstation Linux version

I first developed a complete structure (offline) in 1990s, for a knowledge distribution application, and then moved it online in early 2000s (currently it is not online)

do you know if there is any similar system used?

I would hate to post outside yet another re-invention of the wheel :)

I would prefer to convert it into a service layer if something database-independent delivering the basic services is already available

If you have any links, let me know :)

And, if I will decide to go the open source way, I will post a link here

Aaron

  • Administrator
  • Sr. Member
  • Posts: 326
  • Gender: Male
Re: Encapsulating encryption and structure in databases
« Reply #1 on: February 28, 2010, 09:31:47 AM »
Sounds nifty! I know there's md5 hashing when storing passwords in MySQL, which effectively protects passwords, but I suppose it's more easily cracked than what you're doing?

Edit:
Hmm, according to this thread both MD5 and SHA-1 have been cracked, but there's much more powerful algorithms out there now: http://ubuntuforums.org/showthread.php?t=446322
« Last Edit: February 28, 2010, 09:35:13 AM by Aaron »

robertolofaro

  • Newbie
  • Posts: 3
    • just a profile website
Re: Encapsulating encryption and structure in databases
« Reply #2 on: February 28, 2010, 10:27:24 AM »
absolutely- but it is the same for any system: it is built to infer from past issue future solutions, and overridden by time

IMHO it is only the lack of contextual/cultural knowledge that leaves some past communications not understandable, as we cannot ascertain the logic of the culture that created the message

for a time I thought about using the Russian-DES, as non subject to export rules (I received it via a BBS- so, it is really, really old), and less computing-intensive

the concept was not to use the database encryption features per se (as anything that is widespread and known and, moreover, open sourced, eventually attracts reverse-engineers), but to see the encryption as a "layer"- or a "menu" of options to be agreed between the parties involved

of course- the test implementation was in the end a substitution-based (books segments from online sources)

however long the rotating text, it was subject to cracking by simple brute-force and frequency analysis (the content was almost exclusively in English), with the XML and hashing and serialization just there to add some "noise"

as the routing info and checksums do when inserted in the data packets transmitted to ensure internal consistency of each packet when transmitted, and allow the rebuilding of the message at the destination point

the test uses were either in off-line (i.e. less prone to attack) or non-critical online (i.e. just to test the concept and assess the impact on performances vs. a standard serialization with XML)

as in any security issue: if the algorithm decreases the performance perceived by the user, any such decrease must be deemed to be acceptable as a balance toward the added (temporary) security

but, as I said, I designed and developed it while travelling, well before the open source movement developed, in leaps and bounds, and my programming approach is probably obsolete


Aaron

  • Administrator
  • Sr. Member
  • Posts: 326
  • Gender: Male
Re: Encapsulating encryption and structure in databases
« Reply #3 on: February 28, 2010, 10:40:36 AM »
I understand that relying entirely on the computer that hosts the database to do the encryption with no outside input is generally not as secure as several computers each holding a piece of the puzzle, or the user contributing to the encryption in some way. Is it possible for you to create a flowchart that shows generally what your concept does?
« Last Edit: February 28, 2010, 10:47:25 AM by Aaron »

robertolofaro

  • Newbie
  • Posts: 3
    • just a profile website
Re: Encapsulating encryption and structure in databases
« Reply #4 on: February 28, 2010, 06:19:23 PM »
exactly my point

security is not static- and I am always been quite skeptical of any company offering "the" ultimate secure solution, be it a software or a bit of hardware

of course, the flip side is: if you split the security across multiple organization/location, you have to mask the purpose, or otherwise you are increasing the potential points where a non-compliance/failure might occur

as for the flow-chart... that's part of the "document and polishing" I referred do

that's why I also think that some "streams" of spam that I received sometimes that were so close to meaningless Enigma-like letter groups looked really as somebody trying another approach to securing communication

I mean: send the same message to 1million of unrelated e-mail addresses, and let it bounce around; only the intended addressee will be able to decode it- but you will overflow any traffic monitoring capabilities- at least long enough to make decryption irrelevant, as the decrypted message itself could contain just a redirection to something else, that disappears once used (just like a standard activation code for a password change)

anyway- as I received no other feed-back, I reckon that there is nothing else so blatantly matching the same requirements in the open source (or- if there is something, it is not so stellar that comes immediately to mind)

so, I will have to get back on my "business analyst" and "project manager" hat, and see to allocate the time to work on having again a showcase online- probably this time transparent/open source: I never believed in patents applied to business processes, anyway :)

Aaron

  • Administrator
  • Sr. Member
  • Posts: 326
  • Gender: Male
Re: Encapsulating encryption and structure in databases
« Reply #5 on: February 28, 2010, 06:23:41 PM »
Good luck! I look forward to seeing it.  ;D