Re: [PHP] Secure DB Systems - How to

From: "Sarah Tanembaum" <sarahtanembaum(at)yahoo(dot)com>
To: pgsql-sql(at)postgresql(dot)org
Cc: pgsql-php(at)postgresql(dot)org, pgsql-admin(at)postgresql(dot)org, pgsql-hackers-win32(at)postgresql(dot)org, pgadmin-support(at)postgresql(dot)org
Subject: Re: [PHP] Secure DB Systems - How to
Date: 2004-07-12 21:48:34
Message-ID: ccuv7a$die$1@sea.gmane.org
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgadmin-support pgsql-admin pgsql-hackers-win32 pgsql-php pgsql-sql

Thanks Bruno.

I see the potential challenge. If the field value is encrypted, how can
search be done for certain value? Do I have to seach for the encrypted
value? If so, what password or key should I use?

Thanks

"Bruno Wolff III" <bruno(at)wolff(dot)to> wrote in message
news:20040709152722(dot)GA20935(at)wolff(dot)to(dot)(dot)(dot)
> On Thu, Jul 08, 2004 at 11:49:36 -0400,
> Sarah Tanembaum <sarahtanembaum(at)yahoo(dot)com> wrote:
> > I was wondering if it is possible to create a secure database system
> > usingPostgreSQL/PHP combination?
> >
> > I have the following in mind:
> >
> > I wanted to store all my( and my brothers and sisters) important
document
> > information such as birth certificate, SSN, passport number, travel
> > documents, insurance(car, home, etc) document, and other important
documents
> > imagined in the database.
> >
> > The data will be entered either manually and/or scanned(with OCR). I
need to
> > be able to search on all the fields in the database.
> >
> > We have 10 computers(5bros, 4sisters, and myself) plus 1 server with I
> > maintained. The data should be synchronize/replicate between those
> > computers.
> >
> > Well, so far it is easy, isn't it?
> >
> > Here's my question:
> >
> > a) How can I make sure that it secure so only authorized person can
> > modify/add/delete the information? Beside transaction logs, are there
any
> > other method to trace any transaction(kind of paper trail)?
>
> Keeping the system administrator from seeing the data while making it
> searchable is difficult. To do this you need to encrypt the data on
> the client side using a key the client has (and this key has to be
> protected from loss) and the only searches you can do are equality
> searches using a hash or encrypted value.
>
> The system administrator can always delete the data.
>
> If you store which user has access to a row in the row, you can use views
> to control access to the rows for people other than the system
administrator.
>
> > b) How can I make sure that no one can tap the info while we are
entering
> > the data in the computer? (our family are scattered within US and
Canada)
>
> Use SSL.
>
> > c) Is it possible to securely synchronize/replicate between our
computers
> > using VPN? Does PostgreSQL has this functionality by default?
>
> Probably the best thing here is to run one live server and make backups
> of the system that you store at your relatives along with instructions
> for recovering them if something happens to you. Probably the backups
> should be encrypted with either the keys in your safe deposit box or
> using a system where something like 3 out of 5 keys can be used to recover
> the backup files. Be sure to test the backup recovery.
>
> ---------------------------(end of broadcast)---------------------------
> TIP 6: Have you searched our list archives?
>
> http://archives.postgresql.org
>

In response to

Browse pgadmin-support by date

  From Date Subject
Next Message Sarah Tanembaum 2004-07-12 22:09:59 Re: Secure DB Systems - How to
Previous Message Rajesh Kumar Mallah 2004-07-12 14:07:21 Re: Secure DB Systems - How to

Browse pgsql-admin by date

  From Date Subject
Next Message Sarah Tanembaum 2004-07-12 22:09:59 Re: Secure DB Systems - How to
Previous Message Octavio Alvarez Piza 2004-07-12 19:43:26 Disk usage

Browse pgsql-hackers-win32 by date

  From Date Subject
Next Message Sarah Tanembaum 2004-07-12 22:09:59 Re: Secure DB Systems - How to
Previous Message Jason Sheets 2004-07-12 21:21:47 Re: PostGre and Windows XP

Browse pgsql-php by date

  From Date Subject
Next Message Sarah Tanembaum 2004-07-12 22:09:59 Re: Secure DB Systems - How to
Previous Message Scott Marlowe 2004-07-12 14:46:35 Re: Resource id #12

Browse pgsql-sql by date

  From Date Subject
Next Message Sarah Tanembaum 2004-07-12 22:09:59 Re: Secure DB Systems - How to
Previous Message Stef 2004-07-12 16:43:28 Re: Order of execution of rules