Storing Social Security Number WAS: Encryption/Decryption Question
in [General]
|
Prev: Storing Social Security Number WAS:Encryption/Decryption Question
Next: Storing Social Security Number WAS:Encryption/Decryption Question
From: Richard Quadling on 12 Aug 2010 09:59 On 12 August 2010 14:45, tedd <tedd(a)sperling.com> wrote: > At 5:30 PM -0700 8/11/10, Daevid Vincent wrote: >> >> Â > -----Original Message----- >>> >>> Â 2. Were told it was a social security number >>> Â Â (i.e., in the form of 123-45-6789). >> >> Stop. >> >> Why are you even contemplating storing SS# ?? Why hold the SSN (encrypted or otherwise). If you hold it encrypted, then the keys have to exist somewhere and that will cost you something. Why not hold a non reversible hash? That way you can't determine the SSN, but someone posing as the SSN holder presents their SSN, you run it through the same hash routine and compare the hashes. If they match, then the SSN is valid. If not, then not. Don't store the SSN would be my way. The same way you don't store passwords using a reversible technology. -- Richard Quadling.
From: tedd on 12 Aug 2010 10:30 At 2:51 PM +0100 8/12/10, Ashley Sheridan wrote: >If you are storing the data in a DB, then I'd consider using >different levels of access to that via different DB users, which >should offer an extra layer of security in protecting the data. Of course, the routines I'm writing provide several levels of access for different functions/job-duties. However, at some point there will be people who will have access to SS# data. The real questions here are: 1. Is it lawful in the USA to store US SS# in an online database? 2. If it is lawful, then what security provisions are required? Cheers, tedd -- ------- http://sperling.com/
From: Bastien Koert on 12 Aug 2010 10:56 On Thu, Aug 12, 2010 at 10:30 AM, tedd <tedd(a)sperling.com> wrote: > At 2:51 PM +0100 8/12/10, Ashley Sheridan wrote: >> >> If you are storing the data in a DB, then I'd consider using different >> levels of access to that via different DB users, which should offer an extra >> layer of security in protecting the data. > > Of course, the routines I'm writing provide several levels of access for > different functions/job-duties. However, at some point there will be people > who will have access to SS# data. > > The real questions here are: > > 1. Is it lawful in the USA to store US SS# in an online database? > > 2. If it is lawful, then what security provisions are required? > > Cheers, > > tedd > > -- > ------- > http://sperling.com/ > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > The worst part of that is that is varies by state (check the MA and NY laws as the most restrictive), there are no federal guidelines as yet. However, the data must be stored in an encrypted format and it must be transmitted via SSL. We do it that way (taking both a hash for searching for the ssn and the encrypted form) and haven't had any issues as yet. Some clients are simply refusing to store SSNs for any person in the system where the address is in MA. The other thing to consider is that more and more states are looking to encrypt PII data (name, dob, ssn etc) for more security. You could consider storing just the encrypted ssn and link data in a separate database, that would require a different logon to access when the data is required. -- Bastien Cat, the other other white meat
From: Joshua Kehn on 12 Aug 2010 11:39 On Aug 12, 2010, at 11:32 AM, tedd wrote: > At 10:56 AM -0400 8/12/10, Bastien Koert wrote: >> However, the data must be stored in an encrypted format and it must be >> transmitted via SSL. We do it that way (taking both a hash for >> searching for the ssn and the encrypted form) and haven't had any >> issues as yet. > > The data will be encrypted and only accessible behind an SSL via an authorization process -- that's given. > > I have given some thought about searching the database for encrypted SS#'s and have been perplexed as how to do that. > > For searching standard fields, it's a piece of cake to use %LIKE%. For example, let's say the investigator has a piece of paper that has the number "393" on it and want's to search the database for all phone numbers that contain "393" -- he could use %LIKE% and that would produce 517-393-1111, 393-123-4567, 818-122-4393 and so on. That's neat! > > However, if the field is encrypted, then how do you preform a partial search on that? You can't encrypt the search string and use that because you need the entire string. So, how do you solve that problem? > > If you hash the number of store the hash, then you can create a hashed search string and use that. But again it doesn't work for partial %LIKE% searches. For example, I couldn't search for "393" in a SS# -- I would have to search for the complete SS#. > > So, how do you solve the %LIKE% problem with encryption and hashes? > >> The other thing to consider is that more and more states are looking to encrypt PII data >> (name, dob, ssn etc) for more security. > > I'm considering that as well, but that also raises more searching problems as described above. > >> You could consider storing just the encrypted ssn and link data in a >> separate database, that would require a different logon to access when >> the data is required. > > Interesting -- I might also hash the foreign link. But I have to think about that. > > Cheers, > > tedd > -- > ------- > http://sperling.com/ > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > Would one option be to have a table of unencrypted SSN's with an encrypted id for the user. So you could search the SSN's and then connect them, however if the table was dumped you wouldn't be able to link it directly to the person (as it would just have a SSN and an id). Regards, -Josh ____________________________________ Joshua Kehn | Josh.Kehn(a)gmail.com http://joshuakehn.com
From: Joshua Kehn on 12 Aug 2010 12:02
On Aug 12, 2010, at 11:55 AM, tedd wrote: > At 11:39 AM -0400 8/12/10, Joshua Kehn wrote: >> Would one option be to have a table of unencrypted SSN's with an encrypted id for the user. So you could search the SSN's and then connect them, however if the table was dumped you wouldn't be able to link it directly to the person (as it would just have a SSN and an id). >> >> Regards, >> >> -Josh > > No, the problem here is to keep the database from containing any raw SS#. It is absolutely necessary to encrypt the data. > > The question is: > > 1. Is it legal? > > 2. How to do it? > > Cheers, > > tedd > -- > ------- > http://sperling.com/ Tedd- In my mind if you have a table of raw SSN's it's fine as long as they can't be readily linked to a person without decrypting the id. Again, I don't know the legalities of it so I defer. If you have to encrypt them then I'm not sure how you would run any %LIKE% query unless you went through and decrypted them OTF when running the query. This (I don't believe) can be done in MySQL (or any other RDB) so it would have to be done in memory. Depending on the table size that gets annoyingly slow. If the SSN's must be encrypted, and you aren't encrypting the parts separately ( enc - enc - enc) I don't think you will be able to run a %LIKE% query simply. Regards, -Josh ____________________________________ Joshua Kehn | Josh.Kehn(a)gmail.com http://joshuakehn.com |