Re: AES Questions From Another Dummy.

Larry Lindstrom wrote:
Hi Folks:

I'll start by thanking all of you. Reading the Google archives
for this group is very educational. I'm a programmer, not a
mathematician, so most of this discussion is way over my head.

I'm building an application that stores, among other things,
personal information about employees and members of organizations.
Names, addresses, phone numbers, and the contents of an edit box
where they may enter several pages of text.

Some users will keep this information on stand alone computers,
perhaps laptops, others on a central server.

The goal is to keep thieves from gaining phone numbers and other
personal information from the database.

The person running the program will enter a key that will be used
for their session. Other users will have their own keys.

Here is what I intend to do, and I'd appreciate any suggestions.

I'll be using the code described in a page on The Code Project

http://www.codeproject.com/cpp/aes.asp

ECB, CBC or CFB? It's all alphabet soup to me, and a single
argument to the encrypt and decrypt functions. ECB doesn't seem to
be favored by those who post in this group.

Pad the front of the clear text with some random ASCII, probably
16 bytes.

Terminate the text with a zero, then pad out to a multiple of the
block size with random text.

Then encrypt it.

Am I missing anything?

With all the recent news about breaches of computer security and
identity theft, I'm leary of keeping Social Security and credit card
numbers in the database. But customers may want that option. Would
you consider the precautions I've mentioned, together with the advice
I hope to receive from you folks, adequate protection for such
sensitive information?

While I agree with the decision to use Rijndael as the cipher, you haven't said anything about key management.
Is this a common database that all users interact with, and copy portions of to their stand-alone computers?
Or does each user have a database that is encrypted separately with different keys?
Are you going to use the same AES key for each field in a record? For each record in a table? For each table in the database?
If "other users have their own keys", how are you going to get from a user/key to the one and only key used for a record shared in a "central server"?
How often will you expire the keys, if ever?

--Mike Amling
.

Relevant Pages

  • Re: Storing form data on client?
    ... very personal information in a web form to help them work through ... I encrypt the data ... and store it in a MySQL database. ... This has to be on real paper - a web form doesn't work. ...
    (comp.lang.php)
  • Re: Lucid statement of the MV vs RM position?
    ... before database managment systems, much of Pick will be familiar to you. ... Dictionaries are ... mind of the end-users too. ... decoding the data ought to be in the mind of the programmer, ...
    (comp.databases.theory)
  • Re: Database encryption.
    ... > I am writing application that encrypt paradox type database with IDEA ... which is used to mark end of string. ...
    (sci.crypt)
  • Re: 2 Keys decrypts same message
    ... > I don't want to encrypt each row twice (with a admin password ... Keeping the database secret. ... lots of disk storage and high speed LAN (Local Area ...
    (sci.crypt)
  • Re: Useful Utility or Not?
    ... >the most part static in content and whose main function is the support ... >programmer, I've spent significant hours coding in support of these ... the need to load tables into OCCURS has been ... Just read entries from the file or database. ...
    (comp.lang.cobol)