StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

PO
primarykey
Id
18240337
data
AcceptedAnswerId
0
AnswerCount
0
ClosedDate
CommentCount
6
CommunityOwnedDate
CreationDate
2013-08-14T19:14:50.173
FavoriteCount
0
LastActivityDate
2013-08-15T08:48:21.463
LastEditDate
2013-08-15T08:48:21.463
LastEditorUserId
371137
OwnerUserId
371137
ParentId
18236761
PostTypeId
2
Score
8
ViewCount
0
LastEditorDisplayName
text
Body
<h2>The system you are building is probably insecure</h2> Except for storage you basically never want to just encrypt your data, but also authenticate it. Authentication in this context means that a valid message can only be generated by someone who knows the key. A widely used authentication scheme is <a href="http://en.wikipedia.org/wiki/HMAC">HMAC</a>. If you do not authenticate your messages anyone can feed data into your service. An attacker might not be able to fully control the outcome after decryption but he/she might still be very dangerous. For example, if you use CBC (which you do) and the most common paddings schemes (AES is a block cipher and can only encrypt 128bit Blocks of data) and an attacker can differentiate between a padding error and any other error then all your messages can be decrypted by an attacker. This is called a <a href="http://www.skullsecurity.org/blog/2013/a-padding-oracle-example">padding oracle attack</a> and is far too common. To protect from this class of attacks you can use an authenticated encryption scheme, for example the <a href="http://en.wikipedia.org/wiki/Galois/Counter_Mode">GCM</a> blockcipher mode. Also you have to protect against <a href="http://en.wikipedia.org/wiki/Replay_attack">replay attacks</a>. Consider a banking application and the data you are transmitting is a bank transfer order. Barring any TAN an attacker might record a previous transaction and replay this transaction to your service again and again thus transferring a multiple of the money the customer originally wanted to. Is the form you are getting the data from transmitted over HTTPS? If not: Can the key be eavesdropped by an attacker? How does a user know he got the form from you and not anybody else (SSL/TLS is as much about authentication as it is about confidentiality). Probably I have forgotten some other attack vectors simple CBC-encryption offers. <h2>Alternatives</h2> Probably the easiest way to protect against these attacks is to transmit the form data over HTTPS. SSL/TLS was designed to prevent all of the above attacks and the client and server side implementations had a long time to mature.
Tags
Title
singulars
PostAcceptedAnswerId
1. This table or related slice is empty.
PostParentId
1. POAES - Encryption with Crypto (node-js) / decryption with Pycrypto (python)
 singulars
 PostTypePostTypeId
 PTQuestion
PostTypePostTypeId
1. PTAnswer
UserLastEditorUserId
1. USPerseids
UserOwnerUserId
1. USPerseids
plurals
PostLinksPostIdRelatedPostId
1. This table or related slice is empty.
PostLinksRelatedPostIdPostId
1. This table or related slice is empty.
PostsAcceptedAnswerId
1. This table or related slice is empty.
PostsParentIdCreationDate
1. This table or related slice is empty.
VotesPostIdCreationDate
1. VO
 singulars
 PostPostId
 PO
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
CommentsPostId

Querying!

Guidance

A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.