openerp-community team mailing list archive

Thread
Date

Re: About encryption in database

To: openerp-community@xxxxxxxxxxxxxxxxxxx
From: Holger Brunn <hbrunn@xxxxxxxx>
Date: Sat, 01 Feb 2014 11:59:11 +0100
In-reply-to: <52ECCA0C.7060605@elico-corp.com>
Organization: Therp
User-agent: KMail/4.11.5 (Linux/3.12-1-amd64; KDE/4.11.5; x86_64; ; )

Hi Eric,

> I would expect a way to encrypt some critical data at database level
> (password, accounting information, salaries).
> I am not sure here but I have the feeling that encryption/decryption
> though should only be possible through a certificate/key at
> browser/client level to protect the key from the administrator.

I was playing with this a while ago, you can find my code here: 
https://code.launchpad.net/~hbrunn/+junk/encrypted_fields

This works with 6.1, but it should be quite simple to port to 7.0. Another 
addon on my list of addons that just need some polishing to be published when 
time permits. If anybody else is willing to do that, please!

What does it do? Users are assigned a private/public RSA keypair. When you set 
up encryption for a (by now text-)field, a symmetric AES key is created whose 
passphrase is encrypted with the public keys of all users who are supposed to 
be able to read and write the field. That's roughly what GPG does for mails 
with multiple recipients.

Caveats:
- only one group of users can have the keys for one field
- new users can't view the field even if being member of the right group. A 
member of that group will have to approve access (= decrypting the passphrase 
with the old members private key, encrypt it with the new member's public key, 
write it in the list of encrypted keys)
- this approach doesn't really work for char or int fields, there some kind of 
XORing with an encrypted random string should be used I guess.
- no searching through encrypted fields

Decryption is done on the server side. In my POV, doing it on the client side 
doesn't really add securitywise, as you still have to trust the code you run. 
Nobody is going to check if the admin didn't fiddle with the js code to have 
the passphrases logged or anything like that. Or is there a way of letting the 
browser do that where the JS code never sees the keys involved?

I'm very interested in the community's comments about this, up to now i 
thought I was nearly alone with thinking it would be a good thing to have 
that.

Regards,
Holger

-- 
Therp - Maatwerk in open ontwikkeling

Holger Brunn - Ontwerp en implementatie

mail: holger@xxxxxxxx
web: http://therp.nl

Attachment: signature.asc
Description: This is a digitally signed message part.

References

About encryption in database
From: Eric Caudal, 2014-02-01