[WEB SECURITY] Encrypting Client Data

Justin Scott leviathan at darktech.org
Fri Jun 10 15:38:50 EDT 2011

> Does your application need to decrypt the data from the database and
> show it onto the web application:

Yes, though we only need access to the data while their session is
open.  Once they log out (or time out) we no longer need access to the
data or the encryption key.  In our current proposed model we store
the data, encrypted, in a local database accessible to the web server
and have the user provide the key at the start of their session so we
can access their data.

> If you need to decrypt the data that comes from the client then, i don't
> see a reason why they have to encrypt and send to you, and also share
> the key.

The user is only providing the key, we would be encrypting and
decrypting on our end.  The transport between the web browser and web
server would be protected by standard SSL.

> I would say that if you want to do any kind of encryption/decryption your
> side, you should consider using HSM and let it do the task of managing
> the keys and encrypt/decrypt. This will isolate tasks and not do
> everything on one server.

That would certainly be a more standard solution, and one that we
proposed to the client.  Their concern is that if we store both the
encryption keys (even in a key management system or other device or
server) and the encrypted data, and an attacker were able to
compromise the server, they could simply run code which would feed the
encrypted data through the key manager and run away with the results
fairly quickly.  Having the user store and provide their own key file
helps to further mitigate that risk.  Someone pointed out that an
attacker could sit quietly on the server and do the same thing as the
sessions were opened and closed, but it would be less exposure than if
we did have the data and keys accessible to the application at all

-Justin Scott

More information about the websecurity mailing list