Forums

ChronoForms v8 is now WordPress ready, ChronoMails is out

The JED needs volunteers!

encrypting sensitive data

aj
ajw3208 23 Aug, 2010
hi guys,

Can you suggest a mechanism to allow the encryption of sensitive data, other than passwords. i.e. I need th4e data in the table encrypted. I obviously need a reverse mechanism before presentation to the end user.

As an enhancement, it'd be great if the CF could allow you to encrypt specific fields in a table and the data in that field. CF needn't worry about the data traversing the network, thats someone else's problem. (SSL)

Thanks

aj
nm
nml375 23 Aug, 2010
Hi AJ,
I'd consider using the OpenSSL extension for PHP with private/public key-pairs, meaning you don't keep anything needed to decrypt the data (the private key) on the server, only what is needed to encrypt (the public key).

This is not implemented in CF, so you'll have to do some coding on your own:
<?
/* On submit - before email
-* We have to cipher the submitted data before CF runs the "autogenerated code",
-* which does the actual save. This would probably be better implemented within the
-* JTable class used for the storage, but since that's "off limits", we'll do it here
-*/

/* Open our certificate file holding the public key,
-* and extract the key from the data
-*/
$key = openssl_get_publickey('file://path/to/public_key.crt');

/* Get the input data named "name" */
$name = JRequest::getString('name', '', 'post');
$cname = '';

/* Run the cipher, test the result */
if (openssl_public_encrypt($name, &$cname, $key)) {
/* Cipher was a success, store the new value in the POST data */
  JRequest::setVar('name', $cname, 'post');
} else {
/* Cipher failed, clear the POST data. Maybe we should alert the user as well? */
  JRequest::setVar('name', '', 'post');
}
?>

You will need a private/public-key pair for this, though I roughly recall these do not have to be signed by a CA - selfsigned should suffice.

/Fredrik
Gr
nm
nml375 23 Aug, 2010
Hi AJ & Bob,
Keep in mind that all the currently algorithms supported by MySQL use symmetrical keys. Simply put, you use the same key-phrase for both encrypting and decrypting the data. Unless you can use the 3DES functions with the --des-key-file server option, I would strongly recommend against using this approach - simply because the encrypt-key would have to be readily available within CF.

You would also have to take in mind, that the connection to the MySQL-server from Joomla is generally not encrypted.

/Fredrik
This topic is locked and no more replies can be posted.