[Owasp-leaders] DB encryption (here: MySQL)

Dirk Wetter dirk.wetter at owasp.org
Wed Mar 13 11:56:51 UTC 2013


On 03/12/2013 09:30 PM, devops wrote:
> If I was to do encryption for db, AES is not the be all I actually
> prefer camellia. S box crypto is S box crypto, that said. With mongo I
> use pgp to encrypt decrypt the db for every read and write, but beware
> any unconventional encryption on a database can cause massive
> corruptions.  

Naaa, I was referring to this AES_DECRYPT function build-in into MySQL.
I am hesitant to reinvent the wheel completely regarding crypto
implementations.

Better is IMO to rely at least on foundation level on tested solutions from
either the DB vendor or any development framework.

Still, I am wondering why there's so little information
available (ok, I haven't read the book Jim recommended yet).

Best,

Dirk


> On Tue, 2013-03-12 at 18:43 +0100, Dirk Wetter wrote:
>> Hi all,
>>
>> am I just too stupid to find it?
>>
>> Basically I found at OWASP only a bit regarding this topic,
>> e.g. useful was Ralph Durkee's talk
>>
>> http://www.owasp.org/images/c/c1/Database_Encryption.ppt
>>
>> and some vague slides elsewhere regarding PCI DSS (they seem
>> to recommend AES_DE/ENCRYPT which is critical for
>> transaction and other logs.)
>>
>> There seems to be no such thing as a best practice
>> guide.
>>
>> Any hints?
>>
>> Best,
>>
>> Dirk
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> 
> 


-- 
German OWASP Board, Conference Chair AppSec EU 2013
http://appsec.eu/       |                 @appseceu
skype://drwetter.de     |      tel:+49-40-2442035-1


More information about the OWASP-Leaders mailing list