Securing Data & Deleting Permanently

Discuss how to write good code, break bad code, your current pet projects, or the best way to approach novel problems

Securing Data & Deleting Permanently

Post by gauravweb on Fri May 20, 2011 3:08 pm
([msg=57617]see Securing Data & Deleting Permanently[/msg])

Hello All

I am developing a PHP, MySql Based application which will contain a lot of personal and confidential data. So, I have planned to secure it using encryption & crypto. However I am concerned that the package is supposed to run on a local server and one could easily access my PHP source code. So how could I make the data secure?

Secondly how to delete some data from MYSql permanently. I mean if I delete some data from the MySQL database then what steps should I check to make sure that it is gone permanently ?
gauravweb
New User
New User
 
Posts: 22
Joined: Fri Jun 06, 2008 12:35 pm
Location: India
Blog: View Blog (0)


Re: Securing Data & Deleting Permanently

Post by Goatboy on Fri May 20, 2011 3:47 pm
([msg=57619]see Re: Securing Data & Deleting Permanently[/msg])

Unfortunately, any code running on localhost (especially interpreted code) can be reversed. This includes any encryption you use. After all, if the program needs to legitimately access this information, what's to stop an attacker from illegitimately accessing it?

As for deleting data from MYSQL, that's a little tricky. From a file system perspective, the data is still there. Normally you would just overwrite the data with 0s, but this will not be easy in PHP/MYSQL, and it might mess up your MYSQL database.
Assume that everything I say is or could be a lie.
User avatar
Goatboy
Expert
Expert
 
Posts: 2865
Joined: Mon Jul 07, 2008 9:35 pm
Blog: View Blog (0)


Re: Securing Data & Deleting Permanently

Post by gauravweb on Fri May 20, 2011 4:04 pm
([msg=57622]see Re: Securing Data & Deleting Permanently[/msg])

Goatboy wrote:Unfortunately, any code running on localhost (especially interpreted code) can be reversed. This includes any encryption you use. After all, if the program needs to legitimately access this information, what's to stop an attacker from illegitimately accessing it?

As for deleting data from MYSQL, that's a little tricky. From a file system perspective, the data is still there. Normally you would just overwrite the data with 0s, but this will not be easy in PHP/MYSQL, and it might mess up your MYSQL database.


okay. If I cant protect it using crypto then please suggest me what is the best possible way to delete the data permanently?
gauravweb
New User
New User
 
Posts: 22
Joined: Fri Jun 06, 2008 12:35 pm
Location: India
Blog: View Blog (0)


Re: Securing Data & Deleting Permanently

Post by Goatboy on Fri May 20, 2011 4:13 pm
([msg=57623]see Re: Securing Data & Deleting Permanently[/msg])

There isn't a totally secure method that I am aware of. I suppose you can just UPDATE the data, overwriting it with 0s, but I don't know enough about the internals of the MYSQL engine to trust that. Take a look at this link though:

http://stackoverflow.com/questions/3444 ... -hard-disk

Doesn't look like there is a direct way to do this, but it might help.
Assume that everything I say is or could be a lie.
User avatar
Goatboy
Expert
Expert
 
Posts: 2865
Joined: Mon Jul 07, 2008 9:35 pm
Blog: View Blog (0)


Re: Securing Data & Deleting Permanently

Post by thetan on Fri May 20, 2011 8:14 pm
([msg=57624]see Re: Securing Data & Deleting Permanently[/msg])

If you're using the InnoDB engine then forget about it. MVCC will keep the data around for a while, versioned data too.

If you're using the MyISAM engine ... you at least won't have to worry about versioned data, and just overwriting it may be fairly sufficient.

The only sure fire way to be forensically secure from recover is to use MySQL Memory tables, which are super volatile and you'll loose ass that data on system restarts and unplanned crashes.

Interesting though. I've seen tons of databases marketed towards different niches, but i've never seen one that specifically targets being forensically secured. Perhaps some one should make one ;).
"If art interprets our dreams, the computer executes them in the guise of programs!" - SICP

Image

“If at first, the idea is not absurd, then there is no hope for it” - Albert Einstein
User avatar
thetan
Contributor
Contributor
 
Posts: 657
Joined: Thu Dec 17, 2009 6:58 pm
Location: Various Bay Area Cities, California
Blog: View Blog (0)


Re: Securing Data & Deleting Permanently

Post by gauravweb on Sun May 22, 2011 1:40 pm
([msg=57664]see Re: Securing Data & Deleting Permanently[/msg])

Update: I worked some more things and found that I could make my source code secure by using Java in place of PHP and installing the application on the system. Now what crypto method do you all suggest to make it very safe and secure. Also if I am not using InnoDB then which database engine do you suggest which should provide me forensic security?
gauravweb
New User
New User
 
Posts: 22
Joined: Fri Jun 06, 2008 12:35 pm
Location: India
Blog: View Blog (0)



Return to Programming

Who is online

Users browsing this forum: No registered users and 0 guests