My client needs the user to send them some data of an extremely sensitive nature but they insist on remaining on their shared host (paid for years in advanced).
All they require is to have access to any new submissions each day and to print off the data in their office, afterwords they don't need it in digital form. Obviously I don't want to store the data for too long if I can avoid it, even in an encrypted form.
My logic so far is as follows, once the code is more fleshed out I'll post that too.
- SSL is used of course
- because they just need to print it raw, I decided to produce and store the data as a file, not in a database, more below...
1. User enters the data into the form (roughly 85 fields).
2. Submitted to php script, data is cleaned and validated.
3. Script creates a print-friendly html file (stored in a variable in the script using output buffering).
4. The file is encrypted using Blowfish. The key is half static (stored in a non-web directory), the other half of the key is generated using the following hash:
Code: Select all
$keyRand = mt_rand();
$uniqueHash = sha1($first_name . $last_name . $keyRand);
5. The $uniqueHash and $nameRandNum values are sent in an inconspicuous email to the office.
6. That person goes to a non-obvious login page, which requires a password that will be already known by them.
7. Next page asks for that $nameRandNum value (to find the file), and the $uniqueHash value. The script will piece that together with the static (stored) portion of the encryption key to decrypt the file.
8. The php script opens and passes the information to the browser as an html page to be printed off. Browser is instructed not to cache (any of this).
9. That employee clicks a link in that file which instructs it to be deleted.
- If it goes more than $x days without being accessed, the office is reminded. After $y days it is automatically deleted.
Doing it this way will ensure that an admin or hacker could not get into the data unless they had access to both the non-web folder and the email account (which is also hosted by them, but on a different physical server).
I know this might sound overboard (or not enough) but the safety of the data is critically important.
Any thoughts you may provide would be fantastic. This is by far the most in-depth I have been in the security of an application, and though fun, it's also nerve-wracking.
Thanks in advance!
- transpar3nt