[OWASP_PHPSEC] Secure Application Configuration and State

rahul chaudhary rahul300chaudhary400 at gmail.com
Sun Jul 14 07:41:17 UTC 2013


I have attached a text file. My doubt is listed there. Please clarify. I
have understood most of the parts. Its just that please help me putting all
the pieces in place.

-- 
Regards,
Rahul Chaudhary
Ph - 412-519-9634
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_php_security_project/attachments/20130714/04a995be/attachment.html>
-------------- next part --------------
Lets say I am creating a test file. In test files, I create a DB connection as:
DatabaseManager::connect (new DatabaseConfig('pdo_mysql', 'OWASP', 'root', 'myPassword'));

So, instead of the above I will write this:
$password = ConfidentialString("myPassword");

So, now I make the connection to DB like this:
DatabaseManager::connect (new DatabaseConfig('pdo_mysql', 'OWASP', 'root', $password)); //Note the use of variable $password instead of real password.

Internally when the program runs, it checks if this class has been called the first time. If yes, then it encrypts the string and returns the encrypted value. For rest of the time, it takes the encrypted string, and decrpts it, and returns the decrypted value.

		
		
		
		
		Here is my doubt:
		------------------------
		
		How is it helping us? I mean we still are putting plain-text password in one place in the code. That plain-text password is changed the second time the function is run.

		I am also not clear on the idea of how we can replace a text. I mean simple take code in (Line 5), how can that code on the second run will change to
		$password = ConfidentialString(:encryptedValue);


		
		
		

Here is the possible algorithm for ConfidentialString function:

		function ConfidentialString($string)
		{
			if ( isFirstTime() )	//checks if the function is run for the first time.
			{
				$encryptedString = AES($string, $key);
				return $encryptedString;
			}
			else
			{
				$decrypredString = AES($string, $key);
				return $decryptedString;
			}
		}


I was thinking something like this:

Let the user store the (key, value) pair in DB themselves of sensitive data. We make a function ( ConfidentialString($key) ) that goes to DB, bring the (key, value) pair , decrypts it, and replaces the original value in the code. e.g. if they have to store a DBPassword, they will store that data in the encrypted form in the DB themselves. So, they will encrypt the value themselves (say abcde is the encrypted value), and then store this info in the DB as KEY=>DBPassword and VALUE=>abcde. Our job will only be to bring that encrypted value and decrpyt it and use it.


More information about the OWASP_PHP_Security_Project mailing list