tomdchi Posted March 8, 2009 Share Posted March 8, 2009 I am using a AES encryption php class and my business partner read a article at http://www.codinghorror.com/blog/archives/000949.html and has become worried about our data that we encrypt. The data in question is not passwords but financial in nature. These are my thoughts and they may be wrong so someone please correct me if I am. Our encryption scheme employs a 256 bit private key that is kept in a file out of the web root and this file is also encrypted with ioncube. The data encrypted is then encoded with base64 to make it db friendly. Currently the decrypt function for the class is in the same file but it has occured to me that it may be a good idea to remove that function and place it in another file to be used only for our internal network. AES encryption is not like md5 or sha1 and is not vulnerable to the rainbow hack-is this right? The assumption here is that we had a sql injection attack that gave the attacker encrypted records from our database. My thought is that using a salt here is useless since a salt is kept plain text and they would have it too. Is that right? My thought is that the weak link here is the private key. That is the only way for someone to decrypt our data. Is this a fair statment? Any thoughts on making our system better are very welcome. Thanks! Tom Link to comment https://forums.phpfreaks.com/topic/148533-aes-encryption-question/ Share on other sites More sharing options...
corbin Posted March 8, 2009 Share Posted March 8, 2009 Keep your private key private and you should be fine. http://en.wikipedia.org/wiki/Advanced_Encryption_Standard#Security Link to comment https://forums.phpfreaks.com/topic/148533-aes-encryption-question/#findComment-780004 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.