I am building a server based web application. For that, I've to store the encryption keys to the server to decrypt the data from the DB. In this situation, what is the best practice to store the security keys? and where to store the keys on the server to avoid hacking.
Related
I am developing a document sharing application that allows users to send files securely. Currently, I encrypt documents on the server side using encryption (key, IV), then encrypt the key and IV with the recipient's public key. However, I want the encryption to be client-side to avoid man-in-the-middle attacks.
I am aware that storing all the information (public key, private key, IV, etc.) on the server side can make my application vulnerable to a data breach, so I am looking for an end-to-end encryption solution.
I am new to this and was wondering if there are any libraries or security protocols I could use to implement this end-to-end encryption method.
What would be the best approaches to implement end-to-end encryption for my application? Are there any specific libraries or security protocols that I could use to enhance the security of my application?
Thank you in advance for your help and advice.
I have a general question about the right handling of sensitive data.
Use case scenario
A user sends sensitive data (documents or images) via an API to a Node.js server. The server then stores the data on the IPFS.
Currently the server is used in order to encrypt and decrypt the data, so that the plain text isnt stored and available on the IPFS. For encryption I am using a combination of AES and RSA similar to this example.
Questions
Would encryption with AES alone be sufficient, since hybrid encryption of AES and RSA is not really used in this case?
Should I add an additional layer of security between the client and the server (hybrid encryption, session key ...) or is a standard HTTPS connection sufficient in this case?
Any other tips or best practices I should consider? (I am not an security expert)
EDIT
Requirements and important points
The application is supposed to create licenses for uploaded Content. For this reason, the uploaded content should be secure and accessible only to authorized persons.
A person is authorized to view content if a corresponding license is available (can be queried by the system).
User experience and simplicity is important aswell
So I think a proper balance of security and usability would be ideal. Complexity or financial costs don't matter at first.
In principle, a user should not have to possess a private key. Therefore, I thought that hybrid encryption might be appropriate if an HTTPS connection is not "secure enough". My understanding would be that the server has a private and public key. When the client connects, the server tells the client the public key. Then the client generates a key for symmetric encryption (e.g. AES) and encrypts it with the server's public key. In this way, the key can be decrypted by the server and both parties have the AES key. This key can then be used to send encrypted content to the server and decrypt it there. The decrypted content can then be re-encrypted and stored on the IPFS.
Thanks in advance.
I am working on security implementation in web application. I have developed a node.js web server and a clients in HTML for displaying the data to end users. I want that the data shown to the clients be encrypted and sent from server. I though that i will encrypt the data using AES at node.js server and decrypt it at client. But decryption at client will need keys to be stored in the client application which is not recommended. I read about SubtleCrypto interface of WebCrypto API. But these are not supported in all browsers. Now I am not able to understand that how I implement encryption and decryption of data in my web application. Where should I keep the keys. Please advice any suitable architecture and technology so that I should be able to serve encrypted data to the clients without compromise of keys. Please suggest if symmetric or asymmetric encryption algorithm will be suitable for my scenario.
I am creating a web application that involves logging into servers via SSH and storing the details. Credentials will include root login details.
What are the best practices for storing this data safely and securely? Authentication using asymmetrical keys will be used be used but not the concern here.
The plan is to use MongoDB and Node.js.
The best way to encrypt data that is extremely sensitive like that, is to use AES 256.
You'll basically want to AES256 encrypt the login credentials in some sort of file (like a CSV), and make sure the encrypt key is stored somewhere extremely safe (on a computer not connected to the internet, for instance).
This is really the only way to handle that sort of information.
A client need to be authenticated by the server, so it need to send credentials. The credentials can be stored in a client database as in encrypted form. Since the server's certificate is known, in order to provide best security the client can use the public key of the server to encrypt the password. But the problem is now how to send the password without double encryption.
For example, suppose the server's authentication URL is "https://example.com/a?u=user&p=password", so the client have to send the SSL-encrypted data of this string to the server. Since the client stores only the encrypted password, it must find a way to send ssl_encrypt("https://example.com/a?u=user&p=")+pre_encrypted_password as a whole to the server.
The client is using WinHTTP api, so are there any way to achieve this?
No. SSL does not work that way - data sent over an SSL connection is encrypted using a symmetric cryptographic algorithm (usually AES, RC4, or similar), using a key that is established during the initial SSL handshake. The public/private key of the server are only used during the initial handshake; after that, they are not used.
Anyways, storing the password this way does not make it any more secure. If it's stored in an encrypted form that can be sent to the server, anyone who managed to get it would be able to use it that way; that encrypted form is password-equivalent, so it's no better than just storing the password!
Potentially you can save the certificate sent by the server (assuming that this certificate has RSA key which allows encryption), then use it in PKCS#7 encryption of your data, and send the encrypted data to the server. There's another question that appears - does the server-side code have access to the certificate. This is not the case in many configurations. So the server won't be able to decrypt the data.
Also, as pointed by EJP, this does not make much sense as you will be double-encrypting the data with merely the same key (technically keys will be different but the added security level will be minimal).