From: | Christopher Browne <cbbrowne(at)acm(dot)org> |
---|---|
To: | pgsql-sql(at)postgresql(dot)org |
Subject: | Re: Secure DB Systems - How to |
Date: | 2004-07-15 02:44:52 |
Message-ID: | m3u0wagfa3.fsf@wolfe.cbbrowne.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgadmin-support pgsql-admin pgsql-hackers-win32 pgsql-php pgsql-sql |
In the last exciting episode, mallah(at)trade-india(dot)com (Rajesh Kumar Mallah) wrote:
> Sarah Tanembaum wrote:
>
>>I was wondering if it is possible to create a secure database system
>>usingPostgreSQL/PHP combination?
>>
>>I have the following in mind:
>>
>>I wanted to store all my( and my brothers and sisters) important document
>>information such as birth certificate, SSN, passport number, travel
>>documents, insurance(car, home, etc) document, and other important documents
>>imagined in the database.
>>
>>The data will be entered either manually and/or scanned(with OCR). I need to
>>be able to search on all the fields in the database.
>>
>>We have 10 computers(5bros, 4sisters, and myself) plus 1 server with I
>>maintained. The data should be synchronize/replicate between those
>>computers.
>>
>>Well, so far it is easy, isn't it?
>>
>>Here's my question:
>>
>>a) How can I make sure that it secure so only authorized person can
>>modify/add/delete the information? Beside transaction logs, are there any
>>other method to trace any transaction(kind of paper trail)?
>>
>>
> There can be multiple solutions to your problem.
>
> The security and logging may be implemented either at
> database level or application level. That is a call you have to
> take.
Doing it at the database level means having to trust anyone that has
administrative access to the database system.
The only way for this to NOT require trusting the administrators is to
store data in some sort of encrypted form, where the data is NOT
visible except when someone decrypts it within the client application.
The main work published on the subject is _Translucent Databases_, by
Peter Wayner. Here are a bunch of links that give a pretty good idea
of what it's about.
http://www.oreillynet.com/pub/a/network/2002/08/02/simson.html
http://www.wayner.org/books/td/
http://www.wayner.org/books/td/faq.php
http://www.linux-mag.com/2003-12/databases_01.html
They discuss it from the perspective of using Java as the "client
application" layer; presumably PHP offers some cryptographic tools to
allow doing similar things...
http://hotwired.lycos.com/webmonkey/programming/php/tutorials/tutorial1.html
--
output = ("cbbrowne" "@" "ntlug.org")
http://cbbrowne.com/info/languages.html
"To do is to be." -- Aristotle
"To be is to do." -- Socrates
"Do be do be do." -- Sinatra
"Do be a do bee." -- Miss Sally of Romper Room fame.
"Yabba dabba do." -- Fred Flintstone
"DO...BEGIN..END" -- Niklaus Wirth
From | Date | Subject | |
---|---|---|---|
Next Message | Jaromir Karmazin | 2004-07-16 10:50:46 | Error Message: ERROR: column "datpath" does not exist |
Previous Message | Andreas Pflug | 2004-07-14 14:58:11 | Re: PostGreSql |
From | Date | Subject | |
---|---|---|---|
Next Message | Simon Riggs | 2004-07-15 07:15:03 | Re: [HACKERS] Point in Time Recovery |
Previous Message | SAKATA Tetsuo | 2004-07-15 01:49:21 | Re: Point in Time Recovery |
From | Date | Subject | |
---|---|---|---|
Next Message | kranas | 2004-07-15 05:17:02 | postgresql as windows 2000 service problem |
Previous Message | Jomar Andrade | 2004-07-14 16:03:00 | Re: postgresql as windows 2000 service problem |
From | Date | Subject | |
---|---|---|---|
Next Message | azah azah | 2004-07-20 08:11:48 | Escape string in postresql |
Previous Message | Lynna Landstreet | 2004-07-14 19:27:49 | Re: Resource id #12 |
From | Date | Subject | |
---|---|---|---|
Next Message | Achilleus Mantzios | 2004-07-15 14:00:36 | Re: How do I convice postgres to use an index? |
Previous Message | R.Welz | 2004-07-15 00:23:06 | calling function , passing OLD as argument |