开发者

Storing encrypted files inside a database

I'm using PyCrypto to store some files inside a SQLITE database.

I'm using 4 fields :

the name of the file,

the length of the file (in bytes)

the SHA512 hash of the file

the encrypted file (with AES and then base64 to ASCII).

I need all the fields to show some info about the file without decrypting it.

The question is : is it secure to store the data like this ?

For example, the first characters of a ZIP file, or executable file are always the same, and if you already know the hash and the length of the file ... is it possible to decrypt the file, maybe partially ?

If it's not secure, how can I store some information about the file to index the files without decrypting them ? (information like length, hash, name, tags, etc)

(I use python, but you can giv开发者_JS百科e examples in any language)


Data encrypted with AES has the same length as the plain data (give or take some block padding), so giving original length away doesn't harm security. SHA512 is a strong cryptographic hash designed to provide minimal information about the original content, so I don't see a problem here either.

Therefore, I think your scheme is quite safe. Any information "exposed" by it is negligible. Key management will probably be a much bigger concern anyway.


To avoid any problems concerning the first few bytes being the same, you should use AES in Block Cipher mode with a random IV. This ensures that even if the first block (length depends on the key size) of two encrypted files is exactly the same, the cipher text will be different.

If you do that, I see no problem with your approach.


You can't just say "oah its AES-256 of course its secure." Just by your post I can see that your confusing attacks against stream ciphers and block ciphers, so you probably should NOT be implementing this until you acutally do research into this topic.

That being said you must read about block cipher modes of operation. The entire CWE-310 family. It wouldn't hurt to pick up a copy of piratical cryptography. After all of that there is still plenty of room for you to completely mess this up.

Real solution: USE SOMEONE ELSE'S IMPLEMENTATION.


You really need to think about what attacks you want to protect against, and the resources of the possible attackers.

In general, storing some data encrypted is only useful if it satisfies your exact requirements. In particular, if there is a way an attacker could compromise the key at the same time as the data, then the encryption is effectively useless.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜