Member Avatar for jessec

Hi,

I'm not sure if this is the right place for it. I'm thinking of creating a secure place on the internet.

Some of my presumptions are:
1 - That no system/network is to be trusted.
2 - Important data should be encrypted.
3 - The link between data and encryption key should be as secure as possible.

What I got so far is the idea to create a path of stateless rpc proxy agents that transfer requests and answers.

Each agent should have only knowledge of the next agent, the request/answer will carry a encrypted
payload of passwords and requested data.

Paths will be generated from a secure site and each agent will be informed of his part in this setup.
This could happen to pre installed agents or by replacing agents with new agents. Ideally this reconfiguring
of paths should happen as much as possible and with the highest randomness. Agents have to be configured
in a fault tolerant mesh setup.

Additionally agents would be configured to integrity check their part of the network.

Asymmetric encryption is used to package transport data and symmetric encryption is used for database
encryption.

The weak point of this set up is the in memory data at the time of encryption and decryption of the data.
And I have no Idea how to solve this.

I'm very sure there are more weaknesses in this setup.

All suggestions are welcome.

Kind regards,

Jessec

  • 2 Contributors
  • 6 Replies
  • 111 Views
  • 3 Days Discussion Span
  • Latest Post Latest Post by jessec

Recommended Answers

All 6 Replies

Member Avatar for jessec

Hi,

If anyone wants to see some code or is interested in getting this up and running.

You can also pm me if your serious.

This is part of a larger secure invoice/ticket system, but can be easily adjusted into any other secure app.

Kind regards,

Jessec

Edited by jessec because: n/a
Member Avatar for jessec

Protecting your data

The Internet is the most unsafe computing environment in existence, and there are simply hundreds of thousands of people out there who would happily take control of your server through underhanded means if they could.

Why has nobody got any ideas about how to tackle this problem. It will become a major problem in the near future or am I totally wrong here.

If you have never thought of this subject here is a nice article.

http://www.tuxradar.com/practicalphp/17/3/0

Kind regards,

Jessec

Member Avatar for diafol

What are you trying to achieve with this post? Are you asking or pontificating? Sure the web is unsafe, but that doesn't mean you have to butt-fist yourself. Otherwise, nothing would get done. How secure does your data have to be?

In a nutshell, what are you proposing? That all webmasters are going to reap the whirlwind?

Member Avatar for jessec

Asking since I can't find any good solutions I'm asking you and others how to protect important data.

That's it what are you trying to accomplish. And until I get a good solution for this I will keep asking and looking. Sure I think to it's extra work too, but I don't think it should take that much extra once it's figured out. Especially if there are good standards developed.

Something as selinux in the beginning that was terrible, but now I'm very happy with it.

Especially considering many companies are relying on there data to be trusted I find myself often in that position and if I'm honest I just can't tell if my data is to be trusted. Considering more business and sensitive data is moving online. I think that sucks.

Kind regards,

Jessec

Edited by jessec because: n/a
Member Avatar for diafol

Ok
Guess you didn't find google very helpful

Member Avatar for jessec

Hi,

No I couldn't find anything about how to protect in memory data.
I thought of doing things with the shmop_ functions, but can't really find a way to protect that.

It seems that if there is no physical control over the machine/vps you can never be sure about your data.

I find this very frustrating.

Kind regards,

Jessec

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.