cayenne-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kadali Narendra <narendra_...@hotmail.com>
Subject RE: How to work on encryption/decryption
Date Thu, 11 Oct 2012 09:46:26 GMT

Thanks for you ideas Mike.

- Naren

> From: mkienenb@gmail.com
> Date: Fri, 5 Oct 2012 11:20:05 -0400
> Subject: Re: How to work on encryption/decryption
> To: user@cayenne.apache.org
> 
> I have always done my encryption at the application level.
> 
> I think there are a number of reasons why this makes the most sense.
> 
> Here are some tips from my past experience:
> 
> 1) clump multiple kinds of data together, and/or randomly add data.
> Encrypting a single field value by itself generally doesn't provide
> enough variation to be secure.
> 
> For example, rather than encrypting a credit card number in one place
> and an expiration date in another, encrypt all logical fields into one
> physical field.   I actually go a step further and encrypt all
> credit-card-related sensitive information which yields a long string.
>   You can then randomly add data to the beginning, end, and middle of
> your data string to further secure it either before encrypting, after
> encrypting, or both.
> 
> 2) Prefix your encrypted data string with versioning information.
> At some point, you are going to need to change your encryption.   It's
> a lot easier to do this, if which algorithm to use is part of the
> data.    You can then provide backwards compatibility for older data
> until such time, if ever, that you re-encrypt it using a newer
> algorithm.   You might need to do this because of a defect in your
> algorithm, because you've added new data fields, or because you need
> to replace your encryption key.
> 
> 3) Remember that encrypted fields cannot be searched or sorted in the
> database, and that providing a search index of any kind will weaken
> your encryption.   This is the tradeoff of encrypting data.
> 
> 4) Remember to only work with the decrypted data as character arrays,
> not as Strings, once you've pulled it out, to avoid it sticking around
> in memory.
> 
> Here's a broad overview of the important methods you'd want to
> implement.  It will take some work to provide your own implementation,
> and for obvious reasons, I will not provide mine, but it will give you
> a very flexible system when you are finished.
> package utilities.encryption;
> 
> public class DataBlockEncryptionManager {
>     protected String findVersion(String encryptedData)
>     	throws EncryptionException
>     {
>     }
> 
> 	/**
> 	 * Find and decrypt item in encrypted data block.
> 	 *
> 	 * @param encryptedData
> 	 * @param itemIndex from 0 to last item
> 	 * @return char array containing decrypted item, may be null if no
> data in block.
> 	 * @throws EncryptionException
> 	 */
> 	public char[] decryptDataBlock(String encryptedData, int itemIndex)
> 		throws EncryptionException
> 	{
> 	}
> 
> 	/**
> 	 * encrypt item in encrypted data block.
> 	 *
> 	 * @param encryptedData String containing previous encrypted block,
> null to create new block
> 	 * @param itemIndex from 0 to last item of item to encrypt
> 	 * @param newValue to add to block
> 	 * @return String containing encrypted block
> 	 * @throws EncryptionException
> 	 */
> 	public String encryptDataBlock(String encryptedData, int itemIndex,
> char[] newValue)
> 		throws EncryptionException
> 	{
> 	}
> }
> 
> 
> And write some tests to prove that these work for all kinds of
> different situations.  Something like permutations of the following:
> 
>     public void test_encryptDataBlockThenDecrypt() throws EncryptionException
>     {
>     	String encryptedData = null;
> 
>     	char[] value1 = "The quick brown fox jumped".toCharArray();
>     	String encryptedData2 = instance.encryptDataBlock(encryptedData,
> 0, value1);
>     	
> 		char[] value2 = "over the".toCharArray();
>     	encryptedData2 = instance.encryptDataBlock(encryptedData2, 1, value2);
>     	
> 		char[] value3 = "lazy dog".toCharArray();
>     	encryptedData2 = instance.encryptDataBlock(encryptedData2, 2, value3);
>     	
>     	char[] value1D = instance.decryptDataBlock(encryptedData2, 0);
> 		ArrayAssert.assertEquals(value1, value1D);
>     	
>     	char[] value2D = instance.decryptDataBlock(encryptedData2, 1);
> 		ArrayAssert.assertEquals(value2, value2D);
>     	
>     	char[] value3D = instance.decryptDataBlock(encryptedData2, 2);
> 		ArrayAssert.assertEquals(value3, value3D);
>     }
> 
> 
> 
> 
> On Fri, Oct 5, 2012 at 10:37 AM, kadali narendra
> <narendra_eng@hotmail.com> wrote:
> >
> > Hi All,
> >
> > I would like to know is there any way Cayenne supports MySQL DB encryption/decryption
seamlessly. Or else is there any third party libraries like Jasypt is available, which we
can use for encryption purpose.
> >
> > I know Jasypt can be integrated with Hibernate for encrypting/decrypting the data
stored in db thus providing db independence. So I don't have to worry about on which db vendor
I am using when deploying my application. I am looking similar kind of libraries which is
available for Cayenne.
> >
> > If any one happens to know such libraries please let me know. And also please share
your thoughts on encryption process on db + using cayenne.
> >
> > Thanks in advance for your help! :)
> >
> > - Naren
> >
 		 	   		  
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message