  May 2020
Module 11

MySQL PHP OpenSSL Data Security v1.7

Global Open Versity IT Systems Integration Hands-on Labs Training Manual

Deploy MySQL Database Encryption using PHP and OpenSSL to Protect Customers Credit Card Info
Kefa Rabah
Global Open Versity, Vancouver Canada

Table of Contents

Page No.





11.0 Introduction & Historical Overview to IT Security


11.1 Introduction to Cryptography 11.1.1 Digital Signature 11.1.2 Digital Certificate 11.1.3 Public Key Infrastructure (PKI) 11.1.4 Why Encrypt Data? 11.2 Secure Socket Layer (SSL) Certificate - Now Transport Layer Security (TLS): How It Works

10 10 11 11 11 13

11.3 Data Security 11.3.1 Data Encryption

14 15

11.3.2 OpenSSL in PHP OpenSSL Functions Generating the Digital Certificates Getting the Keys

15 15 15 15

11.4 OpenSSL in PHP: Encrypting Data 11.4.1 Using OpenSSL in PHP Data Encryption

16 17

11.5 Crypto-Keys & Digital Certificates 11.5.1 How do I generate an RSA keys? 11.5.2 How do I generate a self-signed certificate? 11.5.3 How do I generate a certificate request for VeriSign? 11.5.4 Data Encryption 11.5.5 Data Encryption – via Signing Data 11.5.6 Data Encryption – via Signed Sealed Data 11.5.7 Data Encryption – via Signed Sealed Data

17 17 18 19 19 21 22 24

11.6 MySQL with PHP and OpenSSL 11.6.1 Storing Credit Card Information 11.6.2 Which Encryption Algorithm to use?

27 28 28 1

© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada

CIS105 – PHP Programming

Module 11

MySQL PHP OpenSSL Data Security v1.7

11.6.3 PHP's MySQL Support Storing MySQL Database in Unsecured Form Encrypting MySQL Database using MySQL PHP and OpenSSL

28 29 31

11.7 Secure Implementation of Message Digest, and Authentication


11.7.1 The Mechanics of the Hash Algorithm


11.7.2 A PHP Implementation of Message Digest Algorithms 11.7.3 Implementing password hashing with PHP and MySQL database

35 36

11.8 HowTo Generate and Install SSL in Tomcat Webserver on Windows


11.9 Final Thought - Security Policies!


11.10 What is Risk with Respect to Information Systems? 11.10.1 Dealing or Not Dealing With Risks

42 42



© A GOV Open Knowledge Access Technical Academic Publications License
Enhancing education & empowering people worldwide through eLearning in the 21st Century


© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada

CIS105 – PHP Programming

Module 11

MySQL PHP OpenSSL Data Security v1.7

Global Open Versity Database Encryption & Security Hands-on Labs Training Manual

Deploy MySQL Database Encryption using PHP and OpenSSL to Protect Customers Credit Card Info
By Kefa Rabah

April 01, 2010

GTSI Institute

Abstract In this module we present the techniques that are useful in securing the data against tamper in between communicating parties by the man in the middle. This involves the use and implementation of message digest (or hashing), message authentication and digital signature schemes. A hash function can provide message authentication in a most satisfying manner when combined with digital signature algorithm, which does have a key. Digital signatures currently provide Internet applications with data authentication and non-repudiation services and is set to continue playing an important role in future as Internet services continues to grow. Typical digital signature schemes, however, have some performance overhead, which, while acceptable for the periodic setup of communication sessions, is often too large on a message-bymessage basis. Thus, the need today is to focus on the message authentication based on shared secretekey, which is ideally integrated into the hash function in some manner, and that’s the subject of this work. Today if you’re a CIO keeping watch on a large enterprise organization you may be forgiven for feeling overwhelmed by all the challenges involved in managing governance, risk, and compliance (GRC) initiatives – however, you’re not alone – you’ve got lots of company. Many IT managers and executives are under continuous pressure to create a comprehensive, enterprise-wide strategy dealing with security and regulatory issues. These days, threat comes from all directions, from untrained employees and angry ex-employees to clever hackers and cyber-criminals in various locations around the globe. Add to that the ever growing government regulations, ever changing compliance and partners requirements – and the risk of facing government investigation – and technology and business managers face scary and intimidating situation.

11.0 Introduction & Historical Overview to IT Security Since almost the beginning of time, it seems, man has had a need to keep information private and, in many situations, needed to decipher information previously made private by others. In our age of advance digital technology these needs have grown exponentially and become more complex. Today, computer technology is on the verge of providing the ability for individuals and groups to communicate and interact with each other in a totally anonymous manner. Two persons may exchange messages, conduct business, and negotiate electronic contracts without ever knowing the True Name, or legal identity, of the other. Interactions over networks will be untraceable, via extensive re-routing of encrypted packets and tamperproof boxes which implement cryptographic protocols with nearly perfect assurance against any tampering. Reputations will be of central importance, far more important in dealings than even the credit ratings of today. These developments will alter completely the nature of government regulations: the ability to tax and control economic interactions, the ability to keep information secret, and will even alter the nature of trust and reputation. All this will depend on how secure data can be moved from point-topoint from LAN to Global network data exchange. It is recognized that encryption (otherwise known as scrambling, enciphering or privacy transformation) represents the only means of protecting such data during transmission and, a useful means of protecting the content of data stored on various media either 3

© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada

CIS105 – PHP Programming

mobile or at rest, provided encryption of adequate strength can be devised and validated and is inherently integrable into network system architecture.

MySQL PHP OpenSSL Data Security v1.7

Perimeter Defenses Network Defenses

Assume Prior Layers Fails

Module 11

Today a lot more bold attacks by had core cyber-criminals out of former Eastern Europe and the former Soviet Union Host Defenses now Russia with heavy gear malware and identity theft. As attacks on enterprise grow more sophisticated and diverse; Application Defenses companies need to rethink their network defense and entire enterprise risk management strategies. Security for that Data & Resources matter is not only about protecting the network, but also the data. That requires a combination of tactics, from Data Encryption securing the network perimeter to encrypting data on mobile and storage devices at rest. Today, many Fig. 1: The SerengetiSys Labs Defense-Inenterprises look at network as taking a layered approach, Depth layered security model. as per the SerengetiSys Labs’ Defense-In-Depth layered security model, see Fig. 1. The PKI Infrastructure will give you the ability secure your network via data encryption to preserve confidentiality, data hashing to maintain data integrity, and digital signature for authentication and digital certificate to secure your e-commerce network systems through secure data transfer over the public network, the Internet. The SIEM tools would give us the power of network monitoring and threat events management and reporting. Let’s look at what some of network structure entails and the security role they play: •

Perimeter Defenses Layer An organization’s perimeter defense is the oldest and, some would say, the most cluttered security layer. Firewalls have kept watch for over two decades at the frontier where corporate networks reach the public network, the Internet. A firewall blocks questionable network packet from reaching internal networks, denying passage based on the IP address of the packet’s source or destination service – such as File Transfer Protocol (FTP) – the packet is attempting to reach. Intrusion detection systems (IDS) followed firewalls into the fray, detecting malicious worms and other attacks that would get past a firewall. Intrusion prevention systems both detect and block attacks. Also on the network boarder: secure messaging gateways designed to prevent spam and e-mail-borne viruses. As time went, attacks became bolder, and therefore, more defense power was required. In came the UTM appliance. A UTM (Unified Threat Management) consolidated multiple devices into single systems combing hardware software. The device combines the firewall typical of perimeter defenses with intrusion prevention systems, anti-spam and antivirus software, and Web filtering. And its time also came to pass, and was replaced with the network defenses which also interlinks with other layer.

Host defenses Layer Currently, some IT departments have redrawn the perimeter around PCs and workstations deep within the firewall. One class of solutions relocates intrusion prevention systems from the technology’s traditional place on the network to servers, desktops and laptops. So-called host intrusion prevention systems typically include firewall protection for the individual server or desktop computers, and may use a combination of signature-based and anomaly detection. Signature defenses, common in antivirus solution, detect threats based on characteristics of a particular malware variety. Anomaly-based detection flags behavior that falls outside the range of host’s normal activities.

Identity and Access Management Layer Security isn’t just about blocking intruders – mechanisms for permitting access are required as well. That’s where the identity and access management layer comes in. This field includes technologies that 4

© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada

CIS105 – PHP Programming

Module 11

MySQL PHP OpenSSL Data Security v1.7

house information on user identity and access management products may also enforce role-based policies that permit or restrict access to specific networks, applications and data based on an employee’s job specification. Some IT departments aim to make the access task easier, via single sign on (SSO), for users who may need multiple passwords to sign on to different applications. For example, in some large corporation it is not uncommon for a typical employee to use between six and 12 applications every day mapping to equivalent number of passwords. While at some departments like sales – the sale’s personnel might end-up dealing with up to 10-20 computer systems. However, a successful implementation of SSO requires good PKI infrastructure in place with centralized key management. For best practices, however, it is good idea to implement system integrated solutions based on e.g., Microsoft Active Directory and Windows Identity Management Server The ability to provide network-level authorization solution, meanwhile, would help say hospitals to maintain compliance with the Health Insurance Portability and Accountability Act’s (HIPAA) patient data security requirements; SOX Acts compliance, PIPEDA and etc. •

Network Access Control (NAC) Layer Network access controls (NAC) – operate similarly to identity management application: They aim to let trusted parties into the network and keep the bad guys out. In the case of the network access control, however, the parties involved are machines (devices) rather than people (users). NAC products check devices connecting to the network for vulnerabilities, admits those that pass muster and quarantine offending machines for remediation. It is important to note that end-point scanning is a key driver for secure NAC deployment. NAC vendors refer to this feature as pre-admission control. But the technology is also important for keeping tabs on devices once they enter the network, a task vendors describe as post-admission control. Having a centralized integrated network infrastructure that includes properly configured identity management is critical before launching a NAC deployment. This is particularly true regarding postadmission controls, which comes into play after admission, is granted and role-based access is reviewed. Getting a grip on identity is crucial, and very useful especially for granular understanding of user’s identity – which drives access controls. In this respect, monitoring and reporting are important features for any network device, but for any security boxes tasked with blocking or allowing traffic, the ability to quickly drill down to a particular user or computer and see its status is critical for troubleshooting. As such you need in place, excellent network defense appliance with good monitoring features, high-level information, and ability to access the detailed view quickly.

Vulnerability Management Layer Lines of defense are helpful, but it doesn’t hurt to make the target smaller. Vulnerability management tools offer the potential to do just that. While network access controls is focused on PCs and laptops, vulnerability assessment products cover a broader territory, scanning PCs, servers and network devices for missing security patches or botched configuration settings that could lead to an attack. These tools may be installed on PCs, servers, and are available as bundled hardware/software appliance. Vulnerability assessment can also be purchased as a service. Code scanners review lines of software code identity flaws an attacker could exploit. Another component of vulnerability management: software for automating penetration tests. This technology gives organizations a view of enterprise networks and applications from an assailant’s perspective. Penetration testing can help an organization identify weakness in application design and security processes. Here is where a good Security Information and Event Management (SIEM) come into play. 5

© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada

CIS105 – PHP Programming

Module 11

MySQL PHP OpenSSL Data Security v1.7

What’s the future of IT Security? As security become more complex, businesses increasingly see a need for enterprise security strategies, as well as ways to collate information from the various tools and evaluate their performance, and hence the need top notch and effective SIEM tools comes into play. And the IT industry CIOs continue to grapple with new issues created by growing mobility and anywhere, anytime access – making the remote users the “new perimeter” frontier and not the firewall – thus increasing risk to enterprise resources. In this respect, IT managers are currently focusing more and more on getting end-to-end visibility. Another monstrous issue that continues to dog IT corporate security is the failure to implement appropriate policies and procedures that governs the health and security of the corporate network infrastructure. However, more importantly – the road to an enterprise security strategy and risk management starts with consulting stakeholders to determine threat assets, asset vulnerabilities and what level of risk is acceptable. Employees’ education on policies and procedure and best practices would go along way to minimize threat risks. Then you can formulate a policy that lays out the controls that will achieve the goals via implementing – a solid IT security risk management plan. Fixing and securing the network is fine – but how do you protect the stored data at rest or those on mobile device like laptops which are highly vulnerable stolen leading to heavy loss of data – at times with thousands customers/employees personal information. Encrypting networks and data is a necessary fallback. However, encryption isn’t magic bullet nor isn’t invulnerable – criminal will always attempt to crack it – just as they do antivirus and anti-malware programs. And encryption doesn't do a darn thing against many SQL injection attacks or abuse by authorized users with access to keys. Still, encrypting data is the best last resort when lost or stolen data falls into malevolent hands, it’s a technical solution IT departments and vendors can afford to ignore – and it is easily implementable once encryption policy is put in place. About three-quarters of IT organizations budgeted for encryption in 2007, that percentage is likely to rise – i.e., more company data will be encrypted, in 2008 and beyond. To add to IT security complexity and woes – Federal regulations and partners requirements are constantly changing, and therefore, continuously forcing many organizations in Healthcare, Finance, City Government or any publicly-traded company to comply with the regulations and business partners’ requirements, i.e.,: Who has the access to your network? How do you keep the bad guys out and let the good guys in? How do you control your supply chain and grant access to independent contractors and still comply with rules? And what happens to that laptop with company confidential information when it goes missing? Moreover, with constant changing government laws & compliance requirements and business partners’ regulations company must fulfill are continuously a moving target scenario, see Fig. 2. Some of the regulations and requirements that are currently in effect are: Health Insurance Portability & Accountability Act (HIPAA); Gram-Leach-Bliley Act (GLBA), Sarbanes-Oxley (SOX) Act; Payment Card Industry (PCI) Data Security Standard; and PIPEDA in Canada. Not meeting regulations can become a very big risk and can result in big problems for a company and especially its executive board. Furthermore, today as we are constantly confronted with the ever dreaded identity theft epidemic; adding to already endless pressures to IT tribulations. It is expected that government regulations, partners’ requirements and public outrage will eventually force a clampdown on sloppy physical and digital security practices. Today, the problem of identity theft – the loss of millions of individuals’ personal data around the world – is on the rise and is expected to get worse. That means huge losses for consumers and organizations, and tighter privacy regulations. IT organizations, however, don’t expect technical solutions will end the security breaches any time soon; most say damage from viruses and computer worms will continue to rise significantly over the next five years. Inadequate mobile security is emerging as a new nightmare. But the biggest threat to security and identity is careless behavior: More IT executives say lost or stolen laptops or computer media represent a significant security threat to their organization’s IT assets 6

© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada

CIS105 – PHP Programming

Module 11

MySQL PHP OpenSSL Data Security v1.7

than attacks on corporate networks; infected e-mails, downloads or web sites, or vulnerabilities in software or anti-virus programs. Changing IT executives’ behavior continues to be notoriously difficulty, but organizations will need it to conform to business requirements.








Business Driver







Access Controls

Network Management

Patch Management

Help Desk

Identity Management

Physical Security

IT Operations

Application Dev.

Security Operations


Systems Admin

Asset Customizations

Application Developers

Asset Owners




Fig. 2: Mapping compliance requirements and risk management technology solutions

Moreover, as amount of businesses transacted across the Net increases, a corresponding rise in the amount of personal information being stored on devices connected to it is being seen. With some of the woefully uses of such data carried out by some retailers and vendors who have proven they simply don’t “get” what effective privacy and security policies constitute, salivating cyber-criminals are often able to get their hands on such data as easily as picking cherries off a tree. Take, for example, for the better part of 2007, retail giant TJX was raked over the coals for allowing hackers to penetrate its network over a three-year period and pilfer more than 94 million credit card records – the worst security breach in the history of the Internet to date. The record-breaking breach suffered by TJX Companies didn’t just happen – it was the result of conscious choices made by the retailer’s IT executives to risk not adopting security best practices (e.g., TJX IT department willfully ignored not upgrading from the obsolete WEP encryption to the more secure WPA encryption), and regulator’s decisions to treat the retailer with kid gloves. In the end, with authorities virtually powerless to stop much of the online cyber-criminal activity today taking place, the best defense for companies is to employ stringent guidelines around generation, exchange and storage of data. It is also imperative that employees be educated on the importance of such policies, and the dangers of not following them, follow clearly written guidelines on risk management plan – that closely monitors the security of the network and data encryption policies.


© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada

CIS105 – PHP Programming

Module 11

MySQL PHP OpenSSL Data Security v1.7

The Menace of Enterprise Wireless Network Just mention Wi-Fi in IT industry – and what come to mind is immediately is the horror stories of TJX and the massive splash of customers personal data into the hands of hard-core cybercriminals – and of course the multimillion law suit and damages payouts they had to deal with. But of course Wi-Fi with its ease of functionality is the dealing of everyone – all the way from home use to enterprise level where it is now fully integrated into the network infrastructure. And at all these levels the security of Wi-Fi is all very lopsided. As more users demand portable devices such as personal digital assistants (PDAs) and smart phones, companies are facing additional hidden costs while IT mangers scramble to keep their wireless network services secure and available to conform to the bedrock of IT security, i.e., confidential, integrity and availability (CIA) in relation to government compliance regulations and business partners’ requirements. Moreover, because today’s business professionals and students in colleges and universities demand – anytime, everywhere, anywhere – wireless e-mail and Internet access, business owners are faced with a sometimes overwhelming number of variant wireless coverage options and requirements. And today, with the pervasive adoption of wireless networking, organizations are facing greater risks from a wide variety of sources. Neighboring networks, hard-core-cybercriminals, rogue access points, personal devices and misconfigured infrastructure are now exploit vectors from which corporate security can be compromised. Current existing enterprise firewalls and VPN security systems do not provide effective defense against these wireless threats. No longer is having a "No Wi-Fi" policy a guarantee that your organization has mitigated the risk associated with wireless LANs. If you have a wireless LAN, the security capabilities built into your wireless infrastructure may not provide enough protection. There are two particular security challenges worth mentioning: the broadcast nature of wireless networks and an initial weak encryption standard. Wireless networks transmit data to anyone in the broadcast area that has the right equipment to tune-in reception. This is a unique difference from wired networks and poses security challenges that can expose an organization to significant transaction and reputation risks. Managing the broadcast area involves controlling radio transmissions that can travel through walls, windows, and doors. In addition, the initial encryption standard to protect data transmissions, named "Wired Equivalent Privacy" (WEP), has well-known weaknesses and vulnerabilities. Experts have cracked the WEP security standard, and tools are available to exploit WEP vulnerabilities – and its not surprising to find come companies still using the WEP option. As such network must implement the alternative security – the WiFi Privacy Access (WPA). The combination of uncontrolled broadcast areas and use of a weak encryption standard creates an environment in which unauthorized access to systems and information can occur. This combination increases the importance of an effective security program and the quality of risk management. For home wireless network it is sufficient to implement 128-bit WEP key, however, for better security always use WPA security. While for enterprise level network, the wireless security issues can be remedied via implementing user policies and procedures. Implementing effective policies and procedures for wireless network installations and their usage reinforces the importance of system security. Wireless policies usually restrict employees from establishing their own wireless networks without prior approval, since wireless access points are relatively easy to install. Unauthorized wireless networks may present high and potentially large risks to the security and integrity of enterprise networks, especially financial institutions or credit card handling sales points. In addition, effective policies and procedures should encourage employees using approved wireless networks to report unusual activities. In a network compromise scenario, the only must-have for a successful attack? Access. Any security expert or penetration tester will tell you that once he gets in a network – subverting IT is just a matter of time. To make matters worse, once someone gains access to the remote or private network and obtains a valid IP address, the intruder could appear, at least from a network perspective, to be an authorized corporate user. Unless you have network access controls or core firewalling with good SIEM tools in 8

© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada

CIS105 – PHP Programming

Module 11

MySQL PHP OpenSSL Data Security v1.7

place, the attacker may well gain access to all your local and WAN-connected corporate assets via branchoffice connections. This is one reason wireless is such a boon to attackers – network access is no longer confined to the physical building in this era of on-demand anytime-everywhere-anywhere network access. Moreover, with the advent of enterprise-class 802.11n systems, the remote WLAN equation becomes even more complex with added known-unknown risks. The upside is that the 802.11n will greatly increase the throughput rates of each AP radio while enhancing its ability to identify rogue devices. The downside – beside the enormous cost premium that 11n gear commands – is that it will be even easier to saturate available WAN bandwidth. Security methods such as wireless encryption keep private data private, but the most critical measure is authenticating systems and users before granting access to the wireless LAN (WLAN). The same holds for wired networks. While companies stressed over WEP’s weaknesses, they were letting contractors, consultants, and other guests onto their networks with nary passing thought.

Fig. 2a: General policy processing for computers and users accessing Wi-Fi networks.

Enter in-bound network access control. Installed between access layer switches and distribution or cores switches, in-band NAC creates a choke point in the network; only systems that pass muster can enter, see 9

© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada

CIS105 – PHP Programming

Module 11

MySQL PHP OpenSSL Data Security v1.7

Fig. 2a. This is more than binary decision of grant/deny access. In-band NAC appliances granularly regulate access to network servers and services. That’s a powerful tool for mitigating the problems of wide-open entry rights that plague authentication-only access control systems. Seamless roaming is SerengetiSys Labs’ vision – giving Serengeti-wireless users’ uninterrupted connection to the Internet and enterprise networks as they move through their business day. Moreover, today more incoming students are arriving on their respective campuses worldwide with at least one mobile device: cellular phone, VOIP, laptop or Personal Digital Assistant (PDA). And for many businesses, mobile devices have become a fact of life. The “anywhere-everywhere-anytime” access to business needs, family, friends and resources provided by mobile devices has become essential to their lives and their way of operating in a world of incredible technological change.

11.1 Introduction to Cryptography Secrecy is the heart of cryptography, which is the cornerstone of data encryption, for more details see Module 10 – Cryptographic Overview CIS105. Encryption is a practical means to achieve information secrecy. Modern encryption techniques are mathematical transformations (algorithms) which treat messages as numbers or algebraic elements in a space and transform them between a region of “meaningful messages” or cleartext and a region of “unintelligible messages” or ciphertext. In order to restore information, an encryption transformation must be reversible and the reversing transformation is called decryption. Conventional, encryption and decryption algorithms are parameterized by cryptographic keys. An encryption algorithm and a decryption algorithm plus the description on the format of messages and keys form a cryptographic systems or a cryptosystem. The rapid growth of information technology has led to significant advances in cryptography to protect the integrity and confidentiality of data is astounding. In the modern information-oriented society, various devices are connected to the Internet as terminals, which necessitate technology for information security. Today, the world continues to witness an explosion of technology designed to help people communicate faster and more easily. We carry powerful digital computers in our pockets, exchange digital information in addition to voice data with our mobile phones, and surf the Web with high-end PDAs. In the near future, especially the coming of age of 3G wireless devices, every type of electronic data channel will be used to exchange every type of electronic information. One of the great challenges of the ability to communicate digitally is securing the increased amount of electronic information now exchanged over the network. To make the matter worse today, everyone wants to be everywhere and anywhere and be reached via his tech-mobile system. And that makes mobile security a top priority for many businesses that want to offer high-end mobile customer application. Over the last three decades the traditional cryptosystems like DES, AES, RSA, DSA, One-Time-Pad, DLP, ElGamal and of late ECC, have thus far been the answer to the wide range of issues that impact modern secure communication, mobile data protection, including the assurance of privacy, the certainty of the transmitter or receiver’s identity, and the integrity of the communication. And of late centralized enterprise key management is playing role a in HR provisioning via people, process and technology. And of late the role key management is playing in enterprise mission-critical data encryption and network access control.

11.1.1 Digital Signature It's an electronic signature that authenticates the identity of the sender of a message. It can be used also to ensure that the content of a sent message is unchanged, i.e., data integrity is preserved. If a digital signature is used, it is still possible for the recipient to see the message in plain text. That is, for a digital 10

© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada

CIS105 – PHP Programming

Module 11

MySQL PHP OpenSSL Data Security v1.7

signature, the main idea is no longer to disguise what a message says, but rather to prove that it originates with a particular sender.

11.1.2 Digital Certificate It is an electronic document issued by a certification authority (CA) and usually contains your name, a serial number, an expiration date and a copy of your public key (which anyone can use to encrypt messages to send to you – you then open the messages with your private key) and the digital signature of the CA. Use of a CA when doing business on-line allows anyone to check that you are who you say you are.

11.1.3 Public Key Infrastructure (PKI) A PKI can be used by a company to securely and privately exchange data and money. It involves a digital certificate being issued that can identify an individual or company – but also offers directory services that can store, allocate and revoke certificates as and when necessary. There are several third party vendors of business PKI solutions, e.g. RSA, Baltimore, VeriSign, or Thawte that have gained public confidence as CAs.

11.1.4 Why Encrypt Data? The three fundamental reasons to encrypt data – or is it what you can call "The Three Laws of Data Encryption". Basically, there are only three reasons to encrypt you enterprise data: 1. If data moves, physically or virtually e.g., Smart 3G phones, PDAs, laptops, backup tapes, email, flash drives and EDI etc. And of course loss of data. 2. To enforce separation of duties beyond what's possible with access controls. Usually this only means protecting against administrators, since access controls can stop everyone else. Examples include credit card or social security numbers in databases (when you separate keys from admins’ ones) and files in shared storage. 3. Because someone tells you have to. I call this "mandated or prompted encryption", you have look at risk management like what threats vulnerabilities are and then put security policies and controls in place. A good example blindly encrypting is when encrypts a column in a database and having the DBA manage the keys. For more detail risk management plan checkout our course on: IT Security Risk Mgt & Compliance Strategies CIS300. Role-based ID Management and separation of admin duties as depicted in Fig. 3 has great advantages in securing enterprise network. Today, security and privacy issues are increasing considerably with each passing day – and not to mention the crosswinds coming from stricter regulatory environments, as well as an understanding that each new technological enablement introduces the potential both for increased risk as well as enhanced security. This is where role-based ID management comes into play – as it can offer organizations an umbrella approach to securing their entire network infrastructure.


© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada

CIS105 – PHP Programming

Module 11

MySQL PHP OpenSSL Data Security v1.7

Storage array Storage tape





Storage Network



Basic Security



Identity Management


Intrusion Prevention

Access Control


Application Security

Physical Security

Workflow provisioning

System Admin

Security Officer

Security Auditor

Recovery Officer Fig 3: Network Security components required to protect LAN against attacks on stored/dynamic information

Deploy MySQL Database Encryption using PHP and OpenSSL to Protect Customers Credit Card Info


Kefa Rabah is the Founder of Global Technology Solutions Institute. Kefa is knowledgeable in several fields of Science & Technology, Information Security Compliance and Project Management, and Renewable Energy Systems. He is also the founder of Global Open Versity, a place to enhance your educating and career goals using the latest innovations and technologies.

© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada

CIS105 – PHP Programming

