0

How do I secure data at rest from unauthorized access, but still allowing my application to access the data using user authentication over HTTPS?

My scenario is as follows:

  1. Login to application using ID and password (password is hashed using MD5)

  2. After authentication from the server, user uploads data to the server

  3. User can retrieve that data using the application

  4. All data transfer is based on HTTPS

  5. Data on the server is not encrypted

My questions are:

  1. If I encrypt the data at the location on the server, how do I retrieve it using my client application?

  2. Is there any algorithm which allows data to be encrypted and the encrypted data to only be decrypted and retrieved when my application is trying to retrieve data?

  3. How do I keep that data secure from getting hacked if someone gets access to the server?

Improve this question
6
  • 3
    MD5 for hashing passwords is a big no-no Commented Jun 16, 2014 at 13:46
  • Are you trying to authenticate the user or the application when downloading the data? In other words, can other applications download the data provided a successful user authentication, or do you want to restrict it to your application? Commented Jun 16, 2014 at 13:50
  • And don't forget the salt! Commented Jun 16, 2014 at 15:21
  • Are you storing the data in a database or a file system? Commented Jun 16, 2014 at 15:49
  • @KrisVandermotten YES i authenticate user , i want to restrict it to my application only Commented Jun 17, 2014 at 4:16

1 Answer 1

Reset to default
0

You could:

  1. Encrypt/decrypt data in the client, then the server is just storing an opaque blob.
  2. Have the client transmit a key that the server uses for encryption/decryption.

Any encryption algorithm provides what you want, what matters is key management. Additionally, if your server is compromised, then encryption at rest only protects against adversaries not able to tamper with your operating environment. If they can modify the server (which they usually are able to do, except for access to backups, etc.) then they can capture the data coming and going. In that case, only client-side encryption will help.

And seriously, don't use md5 for passwords. If you're using MD5 for password hashes, you've already put user's data at risk. Leaked, unsalted, MD5s are basically as good as plaintext these days. scrypt and bcrypt are considered the state of the art in password hash storage, but even salted SHA-2 will buy you a lot compared to MD5.

Improve this answer
1
  • can you suggest me any good Algorithum or any good security programs which could be very helpful Commented Jun 17, 2014 at 4:21

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.