Storing sensitive data on a shared server... my plan

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
transpar3nt
Forum Newbie
Posts: 5
Joined: Sat Dec 12, 2009 8:37 pm
Location: Denver, CO

Storing sensitive data on a shared server... my plan

Post by transpar3nt »

Hello, love the forum btw.

My client needs the user to send them some data of an extremely sensitive nature but they insist on remaining on their shared host (paid for years in advanced).

All they require is to have access to any new submissions each day and to print off the data in their office, afterwords they don't need it in digital form. Obviously I don't want to store the data for too long if I can avoid it, even in an encrypted form.

My logic so far is as follows, once the code is more fleshed out I'll post that too.

- SSL is used of course
- because they just need to print it raw, I decided to produce and store the data as a file, not in a database, more below...

1. User enters the data into the form (roughly 85 fields).

2. Submitted to php script, data is cleaned and validated.

3. Script creates a print-friendly html file (stored in a variable in the script using output buffering).

4. The file is encrypted using Blowfish. The key is half static (stored in a non-web directory), the other half of the key is generated using the following hash:

Code: Select all

 
$keyRand = mt_rand();
$uniqueHash = sha1($first_name . $last_name . $keyRand);
 
- that file is saved to a non-web directory, the filename is a random number ($nameRandNum) followed by hash of the user's First Name. (file name could look like: 38472_04d98d2819faf945261d3b827ba4c12a65c36405)

5. The $uniqueHash and $nameRandNum values are sent in an inconspicuous email to the office.

6. That person goes to a non-obvious login page, which requires a password that will be already known by them.

7. Next page asks for that $nameRandNum value (to find the file), and the $uniqueHash value. The script will piece that together with the static (stored) portion of the encryption key to decrypt the file.

8. The php script opens and passes the information to the browser as an html page to be printed off. Browser is instructed not to cache (any of this).

9. That employee clicks a link in that file which instructs it to be deleted.

- If it goes more than $x days without being accessed, the office is reminded. After $y days it is automatically deleted.


Doing it this way will ensure that an admin or hacker could not get into the data unless they had access to both the non-web folder and the email account (which is also hosted by them, but on a different physical server).

I know this might sound overboard (or not enough) but the safety of the data is critically important.

Any thoughts you may provide would be fantastic. This is by far the most in-depth I have been in the security of an application, and though fun, it's also nerve-wracking.

Thanks in advance!

- transpar3nt
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Storing sensitive data on a shared server... my plan

Post by kaisellgren »

If possible, part of the key should be constructed based on a password/phrase that only the user might know.
transpar3nt wrote:the other half of the key is generated using the following hash:
What about the other half of the key?
transpar3nt wrote:

Code: Select all

 
$keyRand = mt_rand();
$uniqueHash = sha1($first_name . $last_name . $keyRand);
You don't need hashes to generate keys. Just generate strong random and use it for the key. Read /dev/urandom to gather random data.
transpar3nt wrote:5. The $uniqueHash and $nameRandNum values are sent in an inconspicuous email to the office.
Is the email message encrypted?
transpar3nt
Forum Newbie
Posts: 5
Joined: Sat Dec 12, 2009 8:37 pm
Location: Denver, CO

Re: Storing sensitive data on a shared server... my plan

Post by transpar3nt »

If possible, part of the key should be constructed based on a password/phrase that only the user might know.
That does make sense. I could use the password that only they know as not only to log into the view script, but also to encrypt the file.
Is the email message encrypted?
The email is not encrypted. Is there a way for email to be encrypted and still easy for them to access using their current email provider? (web-based Network Solutions)

Thanks for the reply!
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Storing sensitive data on a shared server... my plan

Post by kaisellgren »

The email should be encrypted. You can use GnuPG to do this. It also costs nothing.
transpar3nt
Forum Newbie
Posts: 5
Joined: Sat Dec 12, 2009 8:37 pm
Location: Denver, CO

Re: Storing sensitive data on a shared server... my plan

Post by transpar3nt »

If possible, part of the key should be constructed based on a password/phrase that only the user might know.
Sorry I wasn't thinking about my answer... the problem here is that the user entering information will never need access to it again. It's the office (my client) that will access it. So encrypting the file with the known password we decided on wouldn't do a whole lot since it has to be stored on the server anyway. Or am I missing something on that?

As far as I can tell the only thing that will be kept secret is the uniqueHash which will be emailed to the office:

Code: Select all

$uniqueHash = sha1($_POST[First__Name].$_POST[Last__Name].mt_rand().mt_rand().mt_rand());
If that's encrypted on it's way to them do you think that's secure enough to not lose sleep over?
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Storing sensitive data on a shared server... my plan

Post by kaisellgren »

It would be good if you can avoid having the full key on the server especially since it's a shared hosting server. You could use asymmetric encryption so that the data is encrypted using a public key and can be only read with the private key stored on the machine that reads the data (the office computer). This way getting on the server is not enough to read the contents.

Don't use mt_rand() or rand() for cryptographic secrets. Gather the random data from /dev/urandom.
transpar3nt
Forum Newbie
Posts: 5
Joined: Sat Dec 12, 2009 8:37 pm
Location: Denver, CO

Re: Storing sensitive data on a shared server... my plan

Post by transpar3nt »

Yeah a couple hours after I posted that I read your blog post about how terrible using mt_rand() is and kicked myself. Thanks :D
Post Reply