openerp-community team mailing list archive

[Michael Telahun Makonnen <mmakonnen@xxxxxxxxx>]

Hi Eric,

This is actually a pretty useful feature to have, and its usefulness
becomes evident in shared hosting environments and in the face of
hostile administrators.

Usually there are two types of answers given to this type of question:
1. Use some sort of shared secret (like a password that is known only to
the people who should have access to the information)
2. Use PKI (Public Key Infrastructure)

The first answer is only moderately more secure than having a plain-text
database/field.  Any shared secret has a habit of leaking out.

The second answer has the potential to be very secure, but the
traditional way of implementing it can make it very cumbersome,
inconvenient, and in the end less secure than you thought it was. This
is done with some sort of PKI (Public Key Infrastructure). Usually this
entails using server and client side certificates (PGP encryption, SSH
keys are several other exmaples of PKI). The first problem is that you
have to rely on the user to keep his certificates, secret keys, etc,
secure.  This is nearly impossible to guarantee with your average user.
The second problem is that it can become very inconvenient. For example,
what happens if he needs to access the data from a device other than the
one for which he has a client certificate?

I think that the best way to do this kind of implementation is a
variation of the second option. However, instead of keeping the public
keys with the server and the private keys with the client you keep
everything on the server and then you provide the user with access to
his client key through some sort of authentication mechanism (such as a
password).  This gives you the security of a PKI with the convenience of
a shared secret, except that the secret is not shared off course because
every one has his/her own secret. If one person's key gets compromised
you can disable its access without inconveniencing anyone else.

Here are some ideas for how it might be implemented in OpenERP:
- You have to ensure access is only over HTTPS. It's of absolutely no
use to implement this encryption and then transmit the data over plain HTTP.
- For each user generate a public/private key pair, store them on the
server, encrypt the private key with a symmetric key derived from a
user-provided password.
- The tricky part is how to handle the encryption of that field.  You
have two options really:
        1. You store n-versions of the field, each version being
encrypted by the public key of a user who should have access to that
field. When the user views the field the version of it encrypted using
his public key is fetched.
	2. You have one field encrypted with a server key that is somehow <lots
of energetic hand waving> unlocked by any of the users' private key

This is my understanding of how it could be done in a truly secure way.
However, since I am not a security professional I would be interested to
hear how this could be improved or if there is an even better way of
achieving it.

Regards,
Mike.


On 02/01/2014 01:18 PM, Eric Caudal wrote:
> Hi,
> I am not sure this exactly the same topic as Frederic mentioned and I
> didnot want "to leech" on the topic...
> 
> We face another security/data access issue with a customer who would
> like to be able to hide the salary information from his IT administrator.
> After some investigations, the only way I found so far was to remove the
> root access (+other access) to the customer's IT administrator, which is
> a kind of rash.
> 
> I would expect a way to encrypt some critical data at database level
> (password, accounting information, salaries).
> I am not sure here but I have the feeling that encryption/decryption
> though should only be possible through a certificate/key at
> browser/client level to protect the key from the administrator.
> 
> Any security expert would be able to enlighten it? Any common practice
> from other ERP?
> -- 
> Eric CAUDAL
> 
> Eric Caudal
> /CEO/
> --
> *Elico Corporation, Shanghai branch
> /OpenERP Premium Certified Training Partner/ *
> Cell: + 86 186 2136 1670
> Office: + 86 21 6211 8017/27/37
> Skype: elico.corp
> eric.caudal@xxxxxxxxxxxxxx <mailto:eric.caudal@xxxxxxxxxxxxxx>
> http://www.elico-corp.com
> 
> Elico Corp
> 
> 
> _______________________________________________
> Mailing list: https://launchpad.net/~openerp-community
> Post to     : openerp-community@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openerp-community
> More help   : https://help.launchpad.net/ListHelp
>