birbal Posted February 26, 2014 Share Posted February 26, 2014 (edited) I want to encrypt some text. But problem is i dont want to pass key for each encryption. Also i want to make sure that system does not know the key. The texts will be created by authenticated user. Any idea how could it be accomplished? As far i can think to create key from hash of some user data and other data mixed together. But that does not sound much secure. As seeing the code it will be easy to get the key. There is option for pass key for each entry but i want to encrypt it anyway even user don't put key for the encryption text Edited February 26, 2014 by birbal Link to comment Share on other sites More sharing options...
davej Posted February 26, 2014 Share Posted February 26, 2014 (edited) Pretty vague description. Need more details. You want to encrypt some text on the browser? You are using or are not using SSL? How is user authenticated? Edited February 26, 2014 by davej Link to comment Share on other sites More sharing options...
birbal Posted February 26, 2014 Author Share Posted February 26, 2014 By encrypting text i meant encrypting text on database using mcrypt. Ssl is not concern here.Users are authenticated using a login system Link to comment Share on other sites More sharing options...
justsomeguy Posted February 26, 2014 Share Posted February 26, 2014 If you don't want to save the key on the server then it sounds like you need to ask the user for a key when you encrypt their text. What happens with the encrypted text? Do you save it? Do you need to decrypt it? Link to comment Share on other sites More sharing options...
davej Posted February 26, 2014 Share Posted February 26, 2014 You apparently want this text to be more secure than the user authentication itself? Link to comment Share on other sites More sharing options...
birbal Posted February 26, 2014 Author Share Posted February 26, 2014 (edited) @justsomeguy yes but there will be many entries of text and i dont want user to remember that many keys. There should be a default one per user basis. And optional another way to pass key by user which will work as usual .yes i need to save it and also need to decrypt it. Edited February 26, 2014 by birbal Link to comment Share on other sites More sharing options...
birbal Posted February 26, 2014 Author Share Posted February 26, 2014 (edited) @davej yes i want that data to be secure. Even if database is exposed there should be no way to read it. Edited February 26, 2014 by birbal Link to comment Share on other sites More sharing options...
davej Posted February 26, 2014 Share Posted February 26, 2014 (edited) More secure than the user authentication? Another level of password? Â Why not let the user remember a key to a "key-box" which contains all the keys? Edited February 26, 2014 by davej Link to comment Share on other sites More sharing options...
justsomeguy Posted February 26, 2014 Share Posted February 26, 2014 If you need to decrypt the text then the server needs the key, so your options are to have the user store the keys and supply them for decryption, or have the server store them either directly or in a way that they can be calculated. Why not just store the key directly in the database? What is the nature of the text that you're trying to encrypt? Link to comment Share on other sites More sharing options...
birbal Posted February 27, 2014 Author Share Posted February 27, 2014 (edited) If you need to decrypt the text then the server needs the key, so your options are to have the user store the keys and supply them for decryption, or have the server store them either directly or in a way that they can be calculated. Why not just store the key directly in the database? What is the nature of the text that you're trying to encrypt? If user specifies the key explicitly i could decrypt it ithout storing the key anywhere. For other case i think i need to do either of the way storing it or calculating it.  Does not storing the key in same machine even worse in same database looses the purpose of the key? I think calculating it will be better than storing it in database. What is the nature of the text that you're trying to encrypt? what do you mean? Edited February 27, 2014 by birbal Link to comment Share on other sites More sharing options...
birbal Posted February 27, 2014 Author Share Posted February 27, 2014 Why not let the user remember a key to a "key-box" which contains all the keys? It still needs to store somewhere which is i am trying to avoid. Link to comment Share on other sites More sharing options...
justsomeguy Posted February 27, 2014 Share Posted February 27, 2014 Does not storing the key in same machine even worse in same database looses the purpose of the key? I think calculating it will be better than storing it in database.It certainly decreases the security by either storing or calculating the keys on the server. If you need to store the keys in a different place then you either need a separate server to act as a dedicated key store, which still doesn't provide all that much security, or you need to have the user supply the key. Link to comment Share on other sites More sharing options...
birbal Posted February 28, 2014 Author Share Posted February 28, 2014 okay, it is clear now. As always Thanks for the help. Link to comment Share on other sites More sharing options...
davej Posted February 28, 2014 Share Posted February 28, 2014 (edited) The basic problem seems to be the user's inability to remember and produce one or more huge passwords. Well, maybe you auto-generate the huge passwords and then email the customer a digital image of them? You say "print this image for your records and then please delete it from your e-mail inbox." You could even zip the image encrypted with a password. Edited February 28, 2014 by davej Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now