Module 11 MySQL PHP OpenSSL Data Security v1.

Global Open Versity

IT Systems Integration Hands-on Labs Training Manual

Deploy MySQL Database Encryption using PHP and OpenSSL to

Protect Customers Credit Card Info
Kefa Rabah
Global Open Versity, Vancouver Canada
krabah@globalopenversity.org
www.globalopenversity.org

Table of Contents Page No.

MODULE 11 ERROR! BOOKMARK NOT DEFINED.

DELIVERING MYSQL SECURITY WITH PHP AND OPENSSL ERROR! BOOKMARK NOT DEFINED.

11.0 Introduction & Historical Overview to IT Security 3

11.1 Introduction to Cryptography 10

11.1.1 Digital Signature 10
11.1.2 Digital Certificate 11
11.1.3 Public Key Infrastructure (PKI) 11
11.1.4 Why Encrypt Data? 11
11.2 Secure Socket Layer (SSL) Certificate - Now Transport Layer Security (TLS): How It Works 13

11.3 Data Security 14

11.3.1 Data Encryption 15

11.3.2 OpenSSL in PHP 15

11.3.2.1 OpenSSL Functions 15
11.3.2.2 Generating the Digital Certificates 15
11.3.2.3 Getting the Keys 15

11.4 OpenSSL in PHP: Encrypting Data 16

11.4.1 Using OpenSSL in PHP Data Encryption 17

11.5 Crypto-Keys & Digital Certificates 17

11.5.1 How do I generate an RSA keys? 17
11.5.2 How do I generate a self-signed certificate? 18
11.5.3 How do I generate a certificate request for VeriSign? 19
11.5.4 Data Encryption 19
11.5.5 Data Encryption – via Signing Data 21
11.5.6 Data Encryption – via Signed Sealed Data 22
11.5.7 Data Encryption – via Signed Sealed Data 24

11.6 MySQL with PHP and OpenSSL 27

11.6.1 Storing Credit Card Information 28
11.6.2 Which Encryption Algorithm to use? 28
1
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada

www.globalopenversity.org CIS105 – PHP Programming

Module 11 MySQL PHP OpenSSL Data Security v1.7

11.6.3 PHP's MySQL Support 28

10.6.3.1 Storing MySQL Database in Unsecured Form 29
11.6.3.1 Encrypting MySQL Database using MySQL PHP and OpenSSL 31

11.7 Secure Implementation of Message Digest, and Authentication 34

11.7.1 The Mechanics of the Hash Algorithm 35

11.7.2 A PHP Implementation of Message Digest Algorithms 35

11.7.3 Implementing password hashing with PHP and MySQL database 36

11.8 HowTo Generate and Install SSL in Tomcat Webserver on Windows 38

11.9 Final Thought - Security Policies! 41

11.10 What is Risk with Respect to Information Systems? 42

11.10.1 Dealing or Not Dealing With Risks 42

END-MOD.11 43

© A GOV Open Knowledge Access Technical Academic Publications License

Enhancing education & empowering people worldwide through eLearning in the 21st Century

2
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada

www.globalopenversity.org CIS105 – PHP Programming

Module 11 MySQL PHP OpenSSL Data Security v1.7

Global Open Versity

Database Encryption & Security Hands-on Labs Training Manual

Deploy MySQL Database Encryption using PHP and OpenSSL to

Protect Customers Credit Card Info
By Kefa Rabah, krabah@globalopenversity.org April 01, 2010 GTSI Institute

Abstract
In this module we present the techniques that are useful in securing the data against tamper in between
communicating parties by the man in the middle. This involves the use and implementation of message
digest (or hashing), message authentication and digital signature schemes. A hash function can provide
message authentication in a most satisfying manner when combined with digital signature algorithm,
which does have a key. Digital signatures currently provide Internet applications with data authentication
and non-repudiation services and is set to continue playing an important role in future as Internet services
continues to grow. Typical digital signature schemes, however, have some performance overhead, which,
while acceptable for the periodic setup of communication sessions, is often too large on a message-by-
message basis. Thus, the need today is to focus on the message authentication based on shared secrete-
key, which is ideally integrated into the hash function in some manner, and that’s the subject of this work.

Today if you’re a CIO keeping watch on a large enterprise organization you may be forgiven for feeling
overwhelmed by all the challenges involved in managing governance, risk, and compliance (GRC)
initiatives – however, you’re not alone – you’ve got lots of company. Many IT managers and executives
are under continuous pressure to create a comprehensive, enterprise-wide strategy dealing with security
and regulatory issues. These days, threat comes from all directions, from untrained employees and angry
ex-employees to clever hackers and cyber-criminals in various locations around the globe. Add to that the
ever growing government regulations, ever changing compliance and partners requirements – and the risk
of facing government investigation – and technology and business managers face scary and intimidating
situation.

11.0 Introduction & Historical Overview to IT Security

Since almost the beginning of time, it seems, man has had a need to keep information private and, in many
situations, needed to decipher information previously made private by others. In our age of advance digital
technology these needs have grown exponentially and become more complex. Today, computer
technology is on the verge of providing the ability for individuals and groups to communicate and interact
with each other in a totally anonymous manner. Two persons may exchange messages, conduct business,
and negotiate electronic contracts without ever knowing the True Name, or legal identity, of the other.
Interactions over networks will be untraceable, via extensive re-routing of encrypted packets and tamper-
proof boxes which implement cryptographic protocols with nearly perfect assurance against any
tampering. Reputations will be of central importance, far more important in dealings than even the credit
ratings of today. These developments will alter completely the nature of government regulations: the
ability to tax and control economic interactions, the ability to keep information secret, and will even alter
the nature of trust and reputation. All this will depend on how secure data can be moved from point-to-
point from LAN to Global network data exchange. It is recognized that encryption (otherwise known as
scrambling, enciphering or privacy transformation) represents the only means of protecting such data
during transmission and, a useful means of protecting the content of data stored on various media either

3
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada

www.globalopenversity.org CIS105 – PHP Programming

Module 11 MySQL PHP OpenSSL Data Security v1.7

mobile or at rest, provided encryption of adequate strength

can be devised and validated and is inherently integrable
into network system architecture.

Assume Prior Layers Fails

Perimeter Defenses

Network Defenses
Today a lot more bold attacks by had core cyber-criminals
out of former Eastern Europe and the former Soviet Union Host Defenses
now Russia with heavy gear malware and identity theft. As
attacks on enterprise grow more sophisticated and diverse; Application Defenses
companies need to rethink their network defense and entire
enterprise risk management strategies. Security for that Data & Resources
matter is not only about protecting the network, but also
the data. That requires a combination of tactics, from Data Encryption
securing the network perimeter to encrypting data on
mobile and storage devices at rest. Today, many Fig. 1: The SerengetiSys Labs Defense-In-
enterprises look at network as taking a layered approach, Depth layered security model.
as per the SerengetiSys Labs’ Defense-In-Depth layered
security model, see Fig. 1. The PKI Infrastructure will give you the ability secure your network via data
encryption to preserve confidentiality, data hashing to maintain data integrity, and digital signature for
authentication and digital certificate to secure your e-commerce network systems through secure data
transfer over the public network, the Internet. The SIEM tools would give us the power of network
monitoring and threat events management and reporting.

Let’s look at what some of network structure entails and the security role they play:
• Perimeter Defenses Layer
An organization’s perimeter defense is the oldest and, some would say, the most cluttered security
layer. Firewalls have kept watch for over two decades at the frontier where corporate networks reach
the public network, the Internet. A firewall blocks questionable network packet from reaching internal
networks, denying passage based on the IP address of the packet’s source or destination service – such
as File Transfer Protocol (FTP) – the packet is attempting to reach. Intrusion detection systems (IDS)
followed firewalls into the fray, detecting malicious worms and other attacks that would get past a
firewall. Intrusion prevention systems both detect and block attacks. Also on the network boarder:
secure messaging gateways designed to prevent spam and e-mail-borne viruses. As time went, attacks
became bolder, and therefore, more defense power was required. In came the UTM appliance. A UTM
(Unified Threat Management) consolidated multiple devices into single systems combing hardware
software. The device combines the firewall typical of perimeter defenses with intrusion prevention
systems, anti-spam and antivirus software, and Web filtering. And its time also came to pass, and was
replaced with the network defenses which also interlinks with other layer.

• Host defenses Layer

Currently, some IT departments have redrawn the perimeter around PCs and workstations deep within
the firewall. One class of solutions relocates intrusion prevention systems from the technology’s
traditional place on the network to servers, desktops and laptops. So-called host intrusion prevention
systems typically include firewall protection for the individual server or desktop computers, and may
use a combination of signature-based and anomaly detection. Signature defenses, common in antivirus
solution, detect threats based on characteristics of a particular malware variety. Anomaly-based
detection flags behavior that falls outside the range of host’s normal activities.
• Identity and Access Management Layer
Security isn’t just about blocking intruders – mechanisms for permitting access are required as well.
That’s where the identity and access management layer comes in. This field includes technologies that
4
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada

www.globalopenversity.org CIS105 – PHP Programming

Module 11 MySQL PHP OpenSSL Data Security v1.7

house information on user identity and access management products may also enforce role-based
policies that permit or restrict access to specific networks, applications and data based on an
employee’s job specification.
Some IT departments aim to make the access task easier, via single sign on (SSO), for users who may
need multiple passwords to sign on to different applications. For example, in some large corporation it
is not uncommon for a typical employee to use between six and 12 applications every day mapping to
equivalent number of passwords. While at some departments like sales – the sale’s personnel might
end-up dealing with up to 10-20 computer systems. However, a successful implementation of SSO
requires good PKI infrastructure in place with centralized key management.

For best practices, however, it is good idea to implement system integrated solutions based on e.g.,
Microsoft Active Directory and Windows Identity Management Server The ability to provide
network-level authorization solution, meanwhile, would help say hospitals to maintain compliance
with the Health Insurance Portability and Accountability Act’s (HIPAA) patient data security
requirements; SOX Acts compliance, PIPEDA and etc.
• Network Access Control (NAC) Layer
Network access controls (NAC) – operate similarly to identity management application: They aim to
let trusted parties into the network and keep the bad guys out. In the case of the network access
control, however, the parties involved are machines (devices) rather than people (users). NAC
products check devices connecting to the network for vulnerabilities, admits those that pass muster
and quarantine offending machines for remediation. It is important to note that end-point scanning is a
key driver for secure NAC deployment. NAC vendors refer to this feature as pre-admission control.
But the technology is also important for keeping tabs on devices once they enter the network, a task
vendors describe as post-admission control.

Having a centralized integrated network infrastructure that includes properly configured identity
management is critical before launching a NAC deployment. This is particularly true regarding post-
admission controls, which comes into play after admission, is granted and role-based access is
reviewed. Getting a grip on identity is crucial, and very useful especially for granular understanding of
user’s identity – which drives access controls.

In this respect, monitoring and reporting are important features for any network device, but for any
security boxes tasked with blocking or allowing traffic, the ability to quickly drill down to a particular
user or computer and see its status is critical for troubleshooting. As such you need in place, excellent
network defense appliance with good monitoring features, high-level information, and ability to
access the detailed view quickly.

• Vulnerability Management Layer

Lines of defense are helpful, but it doesn’t hurt to make the target smaller. Vulnerability management
tools offer the potential to do just that. While network access controls is focused on PCs and laptops,
vulnerability assessment products cover a broader territory, scanning PCs, servers and network
devices for missing security patches or botched configuration settings that could lead to an attack.
These tools may be installed on PCs, servers, and are available as bundled hardware/software
appliance. Vulnerability assessment can also be purchased as a service. Code scanners review lines of
software code identity flaws an attacker could exploit. Another component of vulnerability
management: software for automating penetration tests. This technology gives organizations a view of
enterprise networks and applications from an assailant’s perspective. Penetration testing can help an
organization identify weakness in application design and security processes. Here is where a good
Security Information and Event Management (SIEM) come into play.

5
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada

www.globalopenversity.org CIS105 – PHP Programming

Module 11 MySQL PHP OpenSSL Data Security v1.7

What’s the future of IT Security?

As security become more complex, businesses increasingly see a need for enterprise security strategies, as
well as ways to collate information from the various tools and evaluate their performance, and hence the
need top notch and effective SIEM tools comes into play. And the IT industry CIOs continue to grapple
with new issues created by growing mobility and anywhere, anytime access – making the remote users the
“new perimeter” frontier and not the firewall – thus increasing risk to enterprise resources. In this respect,
IT managers are currently focusing more and more on getting end-to-end visibility. Another monstrous
issue that continues to dog IT corporate security is the failure to implement appropriate policies and
procedures that governs the health and security of the corporate network infrastructure. However, more
importantly – the road to an enterprise security strategy and risk management starts with consulting
stakeholders to determine threat assets, asset vulnerabilities and what level of risk is acceptable.
Employees’ education on policies and procedure and best practices would go along way to minimize
threat risks. Then you can formulate a policy that lays out the controls that will achieve the goals via
implementing – a solid IT security risk management plan.

Fixing and securing the network is fine – but how do you protect the stored data at rest or those on mobile
device like laptops which are highly vulnerable stolen leading to heavy loss of data – at times with
thousands customers/employees personal information. Encrypting networks and data is a necessary
fallback. However, encryption isn’t magic bullet nor isn’t invulnerable – criminal will always attempt to
crack it – just as they do antivirus and anti-malware programs. And encryption doesn't do a darn thing
against many SQL injection attacks or abuse by authorized users with access to keys. Still, encrypting data
is the best last resort when lost or stolen data falls into malevolent hands, it’s a technical solution IT
departments and vendors can afford to ignore – and it is easily implementable once encryption policy is
put in place. About three-quarters of IT organizations budgeted for encryption in 2007, that percentage is
likely to rise – i.e., more company data will be encrypted, in 2008 and beyond.

To add to IT security complexity and woes – Federal regulations and partners requirements are constantly
changing, and therefore, continuously forcing many organizations in Healthcare, Finance, City
Government or any publicly-traded company to comply with the regulations and business partners’
requirements, i.e.,: Who has the access to your network? How do you keep the bad guys out and let the
good guys in? How do you control your supply chain and grant access to independent contractors and still
comply with rules? And what happens to that laptop with company confidential information when it goes
missing?

Moreover, with constant changing government laws & compliance requirements and business partners’
regulations company must fulfill are continuously a moving target scenario, see Fig. 2. Some of the
regulations and requirements that are currently in effect are: Health Insurance Portability & Accountability
Act (HIPAA); Gram-Leach-Bliley Act (GLBA), Sarbanes-Oxley (SOX) Act; Payment Card Industry
(PCI) Data Security Standard; and PIPEDA in Canada. Not meeting regulations can become a very big
risk and can result in big problems for a company and especially its executive board.

Furthermore, today as we are constantly confronted with the ever dreaded identity theft epidemic; adding
to already endless pressures to IT tribulations. It is expected that government regulations, partners’
requirements and public outrage will eventually force a clampdown on sloppy physical and digital security
practices. Today, the problem of identity theft – the loss of millions of individuals’ personal data around
the world – is on the rise and is expected to get worse. That means huge losses for consumers and
organizations, and tighter privacy regulations. IT organizations, however, don’t expect technical solutions
will end the security breaches any time soon; most say damage from viruses and computer worms will
continue to rise significantly over the next five years. Inadequate mobile security is emerging as a new
nightmare. But the biggest threat to security and identity is careless behavior: More IT executives say lost
or stolen laptops or computer media represent a significant security threat to their organization’s IT assets
6
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada

www.globalopenversity.org CIS105 – PHP Programming

Module 11 MySQL PHP OpenSSL Data Security v1.7

than attacks on corporate networks; infected e-mails, downloads or web sites, or vulnerabilities in
software or anti-virus programs. Changing IT executives’ behavior continues to be notoriously difficulty,
but organizations will need it to conform to business requirements.

REQUIREMENTS
Encryption Anti-Virus

TECHNOLOGY
Business
Driver Vulnerability Authentication

Access Controls Network Management

PCI
Patch Management Help Desk

PROCESSES
Identity Management Physical Security
HIPAA
COMPLIANCE
MANAGEMENT IT Operations Application Dev.
SYSTEM
PIPEDA
Security Operations Documentation

Systems Admin Asset Customizations

SOX
PEOPLE

Application Developers Asset Owners

FFIEC
Employees Contractors

FISMA

Fig. 2: Mapping compliance requirements and risk management technology solutions

Moreover, as amount of businesses transacted across the Net increases, a corresponding rise in the amount
of personal information being stored on devices connected to it is being seen. With some of the woefully
uses of such data carried out by some retailers and vendors who have proven they simply don’t “get” what
effective privacy and security policies constitute, salivating cyber-criminals are often able to get their
hands on such data as easily as picking cherries off a tree. Take, for example, for the better part of 2007,
retail giant TJX was raked over the coals for allowing hackers to penetrate its network over a three-year
period and pilfer more than 94 million credit card records – the worst security breach in the history of the
Internet to date. The record-breaking breach suffered by TJX Companies didn’t just happen – it was the
result of conscious choices made by the retailer’s IT executives to risk not adopting security best practices
(e.g., TJX IT department willfully ignored not upgrading from the obsolete WEP encryption to the more
secure WPA encryption), and regulator’s decisions to treat the retailer with kid gloves.

In the end, with authorities virtually powerless to stop much of the online cyber-criminal activity today
taking place, the best defense for companies is to employ stringent guidelines around generation,
exchange and storage of data. It is also imperative that employees be educated on the importance of such
policies, and the dangers of not following them, follow clearly written guidelines on risk management plan
– that closely monitors the security of the network and data encryption policies.

7
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada

www.globalopenversity.org CIS105 – PHP Programming

Module 11 MySQL PHP OpenSSL Data Security v1.7

The Menace of Enterprise Wireless Network

Just mention Wi-Fi in IT industry – and what come to mind is immediately is the horror stories of TJX
and the massive splash of customers personal data into the hands of hard-core cybercriminals – and of
course the multimillion law suit and damages payouts they had to deal with. But of course Wi-Fi with its
ease of functionality is the dealing of everyone – all the way from home use to enterprise level where it is
now fully integrated into the network infrastructure. And at all these levels the security of Wi-Fi is all very
lopsided. As more users demand portable devices such as personal digital assistants (PDAs) and smart
phones, companies are facing additional hidden costs while IT mangers scramble to keep their wireless
network services secure and available to conform to the bedrock of IT security, i.e., confidential, integrity
and availability (CIA) in relation to government compliance regulations and business partners’
requirements. Moreover, because today’s business professionals and students in colleges and universities
demand – anytime, everywhere, anywhere – wireless e-mail and Internet access, business owners are
faced with a sometimes overwhelming number of variant wireless coverage options and requirements.

And today, with the pervasive adoption of wireless networking, organizations are facing greater risks from
a wide variety of sources. Neighboring networks, hard-core-cybercriminals, rogue access points, personal
devices and misconfigured infrastructure are now exploit vectors from which corporate security can be
compromised. Current existing enterprise firewalls and VPN security systems do not provide effective
defense against these wireless threats. No longer is having a "No Wi-Fi" policy a guarantee that your
organization has mitigated the risk associated with wireless LANs. If you have a wireless LAN, the
security capabilities built into your wireless infrastructure may not provide enough protection.

There are two particular security challenges worth mentioning: the broadcast nature of wireless networks
and an initial weak encryption standard. Wireless networks transmit data to anyone in the broadcast area
that has the right equipment to tune-in reception. This is a unique difference from wired networks and
poses security challenges that can expose an organization to significant transaction and reputation risks.
Managing the broadcast area involves controlling radio transmissions that can travel through walls,
windows, and doors. In addition, the initial encryption standard to protect data transmissions, named
"Wired Equivalent Privacy" (WEP), has well-known weaknesses and vulnerabilities. Experts have cracked
the WEP security standard, and tools are available to exploit WEP vulnerabilities – and its not surprising
to find come companies still using the WEP option. As such network must implement the alternative
security – the WiFi Privacy Access (WPA). The combination of uncontrolled broadcast areas and use of a
weak encryption standard creates an environment in which unauthorized access to systems and
information can occur. This combination increases the importance of an effective security program and
the quality of risk management.

For home wireless network it is sufficient to implement 128-bit WEP key, however, for better security
always use WPA security. While for enterprise level network, the wireless security issues can be remedied
via implementing user policies and procedures. Implementing effective policies and procedures for
wireless network installations and their usage reinforces the importance of system security. Wireless
policies usually restrict employees from establishing their own wireless networks without prior approval,
since wireless access points are relatively easy to install. Unauthorized wireless networks may present
high and potentially large risks to the security and integrity of enterprise networks, especially financial
institutions or credit card handling sales points. In addition, effective policies and procedures should
encourage employees using approved wireless networks to report unusual activities.

In a network compromise scenario, the only must-have for a successful attack? Access. Any security
expert or penetration tester will tell you that once he gets in a network – subverting IT is just a matter of
time. To make matters worse, once someone gains access to the remote or private network and obtains a
valid IP address, the intruder could appear, at least from a network perspective, to be an authorized
corporate user. Unless you have network access controls or core firewalling with good SIEM tools in
8
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada

www.globalopenversity.org CIS105 – PHP Programming

Module 11 MySQL PHP OpenSSL Data Security v1.7

place, the attacker may well gain access to all your local and WAN-connected corporate assets via branch-
office connections. This is one reason wireless is such a boon to attackers – network access is no longer
confined to the physical building in this era of on-demand anytime-everywhere-anywhere network access.
Moreover, with the advent of enterprise-class 802.11n systems, the remote WLAN equation becomes even
more complex with added known-unknown risks. The upside is that the 802.11n will greatly increase the
throughput rates of each AP radio while enhancing its ability to identify rogue devices. The downside –
beside the enormous cost premium that 11n gear commands – is that it will be even easier to saturate
available WAN bandwidth. Security methods such as wireless encryption keep private data private, but
the most critical measure is authenticating systems and users before granting access to the wireless LAN
(WLAN). The same holds for wired networks. While companies stressed over WEP’s weaknesses, they
were letting contractors, consultants, and other guests onto their networks with nary passing thought.

Fig. 2a: General policy processing for computers and users accessing Wi-Fi networks.

Enter in-bound network access control. Installed between access layer switches and distribution or cores
switches, in-band NAC creates a choke point in the network; only systems that pass muster can enter, see

9
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada

www.globalopenversity.org CIS105 – PHP Programming

Module 11 MySQL PHP OpenSSL Data Security v1.7

Fig. 2a. This is more than binary decision of grant/deny access. In-band NAC appliances granularly
regulate access to network servers and services. That’s a powerful tool for mitigating the problems of
wide-open entry rights that plague authentication-only access control systems.

Seamless roaming is SerengetiSys Labs’ vision – giving Serengeti-wireless users’ uninterrupted

connection to the Internet and enterprise networks as they move through their business day. Moreover,
today more incoming students are arriving on their respective campuses worldwide with at least one
mobile device: cellular phone, VOIP, laptop or Personal Digital Assistant (PDA). And for many
businesses, mobile devices have become a fact of life. The “anywhere-everywhere-anytime” access to
business needs, family, friends and resources provided by mobile devices has become essential to their
lives and their way of operating in a world of incredible technological change.

11.1 Introduction to Cryptography

Secrecy is the heart of cryptography, which is the cornerstone of data encryption, for more details see
Module 10 – Cryptographic Overview CIS105. Encryption is a practical means to achieve
information secrecy. Modern encryption techniques are mathematical transformations (algorithms) which
treat messages as numbers or algebraic elements in a space and transform them between a region of
“meaningful messages” or cleartext and a region of “unintelligible messages” or ciphertext. In order to
restore information, an encryption transformation must be reversible and the reversing transformation is
called decryption. Conventional, encryption and decryption algorithms are parameterized by
cryptographic keys. An encryption algorithm and a decryption algorithm plus the description on the
format of messages and keys form a cryptographic systems or a cryptosystem. The rapid growth of
information technology has led to significant advances in cryptography to protect the integrity and
confidentiality of data is astounding.

In the modern information-oriented society, various devices are connected to the Internet as terminals,
which necessitate technology for information security. Today, the world continues to witness an explosion
of technology designed to help people communicate faster and more easily. We carry powerful digital
computers in our pockets, exchange digital information in addition to voice data with our mobile phones,
and surf the Web with high-end PDAs. In the near future, especially the coming of age of 3G wireless
devices, every type of electronic data channel will be used to exchange every type of electronic
information. One of the great challenges of the ability to communicate digitally is securing the increased
amount of electronic information now exchanged over the network. To make the matter worse today,
everyone wants to be everywhere and anywhere and be reached via his tech-mobile system. And that
makes mobile security a top priority for many businesses that want to offer high-end mobile customer
application.

Over the last three decades the traditional cryptosystems like DES, AES, RSA, DSA, One-Time-Pad,
DLP, ElGamal and of late ECC, have thus far been the answer to the wide range of issues that impact
modern secure communication, mobile data protection, including the assurance of privacy, the certainty of
the transmitter or receiver’s identity, and the integrity of the communication. And of late centralized
enterprise key management is playing role a in HR provisioning via people, process and technology. And
of late the role key management is playing in enterprise mission-critical data encryption and network
access control.

11.1.1 Digital Signature

It's an electronic signature that authenticates the identity of the sender of a message. It can be used also to
ensure that the content of a sent message is unchanged, i.e., data integrity is preserved. If a digital
signature is used, it is still possible for the recipient to see the message in plain text. That is, for a digital
10
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada

www.globalopenversity.org CIS105 – PHP Programming

Module 11 MySQL PHP OpenSSL Data Security v1.7

signature, the main idea is no longer to disguise what a message says, but rather to prove that it originates
with a particular sender.

11.1.2 Digital Certificate

It is an electronic document issued by a certification authority (CA) and usually contains your name, a
serial number, an expiration date and a copy of your public key (which anyone can use to encrypt
messages to send to you – you then open the messages with your private key) and the digital signature of
the CA. Use of a CA when doing business on-line allows anyone to check that you are who you say you
are.

11.1.3 Public Key Infrastructure (PKI)

A PKI can be used by a company to securely and privately exchange data and money. It involves a digital
certificate being issued that can identify an individual or company – but also offers directory services that
can store, allocate and revoke certificates as and when necessary. There are several third party vendors of
business PKI solutions, e.g. RSA, Baltimore, VeriSign, or Thawte that have gained public confidence as
CAs.

11.1.4 Why Encrypt Data?

The three fundamental reasons to encrypt data – or is it what you can call "The Three Laws of Data
Encryption". Basically, there are only three reasons to encrypt you enterprise data:
1. If data moves, physically or virtually e.g., Smart 3G phones, PDAs, laptops, backup tapes, email,
flash drives and EDI etc. And of course loss of data.
2. To enforce separation of duties beyond what's possible with access controls. Usually this only
means protecting against administrators, since access controls can stop everyone else. Examples
include credit card or social security numbers in databases (when you separate keys from admins’
ones) and files in shared storage.
3. Because someone tells you have to. I call this "mandated or prompted encryption", you have look
at risk management like what threats vulnerabilities are and then put security policies and controls
in place. A good example blindly encrypting is when encrypts a column in a database and having
the DBA manage the keys. For more detail risk management plan checkout our course on: IT
Security Risk Mgt & Compliance Strategies CIS300.

Role-based ID Management and separation of admin duties as depicted in Fig. 3 has great advantages in
securing enterprise network. Today, security and privacy issues are increasing considerably with each
passing day – and not to mention the crosswinds coming from stricter regulatory environments, as well as
an understanding that each new technological enablement introduces the potential both for increased risk
as well as enhanced security. This is where role-based ID management comes into play – as it can offer
organizations an umbrella approach to securing their entire network infrastructure.

11
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada

www.globalopenversity.org CIS105 – PHP Programming

Module 11 MySQL PHP OpenSSL Data Security v1.7

Storage array
Storage tape

Internet LAN Storage

Network

Perimeter Network Server/Application Storage

Basic Security
Firewall Authentication Identity Management
Physical Security
VPN Intrusion Prevention Access Control
Whitelisting Application Security
Workflow provisioning

System Admin Security Officer Security Auditor Recovery Officer

Fig 3: Network Security components required to protect LAN against attacks on stored/dynamic information

Follow the link below to access the full document.

The full document has moved to Docstoc.com. You can access and download it from
here:

• Deploy MySQL Database Encryption using PHP and OpenSSL to Protect Customers Credit Card Info

OR

http://www.docstoc.com/docs/32581452/Deploy-MySQL-Database-Encryption-using-PHP-and-OpenSSL-
to-Protect-Customers-Credit-Card-Info

-----------------------------------------------

Kefa Rabah is the Founder of Global Technology Solutions Institute. Kefa is knowledgeable in several
fields of Science & Technology, Information Security Compliance and Project Management, and
Renewable Energy Systems. He is also the founder of Global Open Versity, a place to enhance your
educating and career goals using the latest innovations and technologies.

12
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada

www.globalopenversity.org CIS105 – PHP Programming