半透明数据库
我正在构建一个包含健康信息的应用程序。这个面向消费者的应用程序对我来说是新的。我想要一种方法来完全消除隐私问题。当我回顾保护可公开访问的数据库中的敏感数据的方法时,我经常遇到数据库半透明的概念。有关于该主题的原书和来自 Oriellynet 的关于该主题的优秀教程。
我担心的是,在我认为非常现代的编程网站(比如这个)上,我看到的关于这一想法的信息非常少。维基百科上似乎没有关于这个想法的文章。这里没有关于该主题的问题,也没有关于该主题的最新教程或文章。简而言之,其想法是某些数据对于系统的某些用户来说是清楚的,而其他用户则通过加密方式被阻止访问该数据,即使他们具有管理员访问权限。
我在提供半透明数据访问的原型数据库上做了大量工作。我遇到了一个相当大的问题:要真正做到半透明,就不能有密码恢复机制。如果管理员可以重置用户密码,那么他们就可以短暂访问用户数据。为了真正实现半透明,用户绝不能丢失密码。
我们这些在日常生活中使用强加密来保护私人数据的人(当然是技术人员)在使用这些强加密系统时已经习惯了这个问题。如果“河豚”这个词是您日常词典的一部分,那是一回事,但是一个以消费者为中心的网站呢?我担心用户不愿意将他们的思想集中在真正的数据库半透明性隐含的“真正为您加密”的概念上。我害怕以“我丢失了密码”开头并以“我无能为力”结束的支持电话。
我的问题:我应该在我的应用程序中实现这个方法吗?是否有其他开源应用程序沿着这条路线进行比较数据库设计(特别是使用 php/MySQL)?我还有其他人追求这种真正安全但确实不方便的功能集吗?是否有另一种我错过的更流行和现代的数据库安全模型?数据库半透明是一种时尚还是我应该接受的合法数据库设计方法?虽然我总是很欣赏讨论,但我更喜欢可以在设计中利用的客观答案。
I am building an application with health information inside. This application will be consumer-facing with is new for me. I would like a method to put privacy concerns completely at ease. As I review methods for securing sensitive data in publicly accessible databases I have frequently come across the notion of database translucency. There is the original book on the subject and an excellent tutorial on the subject from Oriellynet.
My concern is that I have seen very little information regarding this idea on what I would consider very-modern programming sites (like this one). There does not seem to be an article about the idea on wikipedia. No questions on the subject here, and no very recent tutorials or articles on the subject. To be uber-brief, the idea is that certain data is clear to some users of the system, while other users a cryptographically prevented from accessing that data, even if they have administrator access.
I have done substantial work on a prototype database that provides translucent data access. I have run across a considerable problem: To be truly translucent, there can be no mechanism for password recovery. If an administrator can reset a users password, then they can briefly gain access to a users data. To be truly translucent, the user must never loose the password.
Those of us who use strong encryption to protect private data in our daily lives (technorati to be sure) are used to this problem when using these kinds of strong encryption systems. If the word "blowfish" is part of your daily lexicon that is one thing, but a website that is consumer focused? I am concerned that users will not be willing to wrap their mind around the "truly encrypted just for you" notion implicit with true database translucency. I am afraid of the support call that begins with "I lost my password" and ends with me saying "There is nothing that I can do for you".
My question: Should I implement this method in my application? Are there other open source applications that have gone down this route that I can compare database designs with (esp using php/MySQL)? I anyone else pursuing these kind of truly secure, but really inconvenient feature sets? Is there another database security model that is more popular and modern that I have missed? Was database translucency a fad or a legitimate database design method that I should embrace? While I always appreciate discussion I would prefer objective answers that I can leverage in my design.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
所以,我最近一直在研究类似的东西,并遇到了同样的问题。我正在考虑实施的解决方案如下:
此时,您仍然处于这样的情况:如果用户忘记了密码,他们已经拥有了密码。
这其中有很多挑战和考虑。我对其中的大多数有一些想法,但也对其他意见感兴趣:
毫无疑问,您在该领域实现的任何操作都会降低半透明数据库方法的安全性,但这可能是值得的妥协,具体取决于数据的性质。
So, I've been looking at something similar to this recently, and hit upon the same issue. The solution I'm considering implementing is as follows:
At this point, you're still in the situation where if the user forgets their password, they've had it.
There are lots of challenges and considerations in this. I've got a few thoughts on most of these, but would be interested in others opinions too:
Anything you implement in this area WILL reduce the security of the translucent database approach, without a doubt, but this may be a worthwhile compromise depending on the nature of your data.
我应该在我的应用程序中实现此方法吗?
就像生活中的其他事情一样,需要权衡:)它可能更安全,但更难构建。
是否还有其他开源应用程序沿着这条路线进行比较,我可以将数据库设计与之进行比较(特别是使用 php/MySQL)?
不知道,我想这些工具可以自己完成: )
还有其他人追求这种真正安全但确实不方便的功能集吗?
是的,但它似乎仍处于不成熟的状态,就像您所描述的有关丢失密码的问题一样。
是否有另一种我错过的更流行和现代的数据库安全模型?
基本上有两种数据库连接。一种选择为用户提供真实的数据库帐户,另一种选择是使用单点登录数据库。在 Web 出现之前,客户端/服务器领域中都有这两种模型的支持者,但在 Web 开发人员中,单点登录方法处于领先地位。
数据库半透明是一种时尚还是一种我应该接受的合法数据库设计方法?
不这么认为,例如,UNIX 密码数据库就是基本半透明数据库的一个很好的例子;)
这里有一些东西阅读链接文本
Should I implement this method in my application?
Well like other things in life, there is a trade off :) It's probably more secure but harder to built.
Are there other open source applications that have gone down this route that I can compare database designs with (esp using php/MySQL)?
Don't know, I guess the tools are there to do it yourself :)
Is anyone else pursuing these kind of truly secure, but really inconvenient feature sets?
Yes, but it seems like it's still in an immature state, like your problem you describe concerning lost passwords.
Is there another database security model that is more popular and modern that I have missed?
Basically there are two kinds of database connections. One option gives users a real database account, the other is to use single sign-on to the database. Prior to the web coming along, there were proponents of both models in the client/server world, but amongst web developers the single sign-on method is leading.
Was database translucency a fad or a legitimate database design method that I should embrace?
Don't think so, the UNIX password database, for instance, is a great example of a basic translucent database ;)
here something to read link text
回复:半透明数据库。我想你可以使用指纹。烧伤患者或最终丢失指纹的人怎么办?哎呀。这么小的用户比例值得吗?
熟悉 HIPAA,尤其是在技术方面。
请记住,除了天网* 之外,没有任何系统是真正安全的,看看发生了什么!人类负责。当您在医疗公司工作时,您会签署一份保密协议,表明您不会泄露您在职责中了解到的任何信息,因为这些信息是保密的。
会有人重置人们的密码。事情就是这样,因为并不是每个人都有技术能力,而且目前情况也是如此。
您只需按照 HIPAA 规定实施安全即可。
Re: translucent databases. You could, I suppose, use fingerprints. What about burn victims, or people who end up losing their fingerprints? Oops. Is it worth that small percentage of users?
Familiarize yourself with HIPAA, especially when it comes to technology.
Remember that no system is truly secure, except Skynet*, and look what happened with that! Humans are in charge. When you work in a medical company, you sign an NDA indicating that you won't release any of the information you learn as part of your duties because it is confidential.
There will be someone to reset people's passwords. That's the way it is, because not everyone is technologically competent, and that's the way it stays for now.
You only have to implement security as well as HIPAA says.
略有不同的解决方案,您可能需要查看 cryptdb:
http://css.csail.mit.edu/加密数据库/
Slightly different solution, you might want to check out cryptdb:
http://css.csail.mit.edu/cryptdb/