Information Security Asked by Ian Warburton on October 28, 2021
If a user is logged into a website and they submit sensitive info over HTTPS, which is encrypted and stored in a database, does it matter if the info is not also signed?
Given that signing requires a private key, if a hacker has access to the server and they wanted to tamper with the data, couldn’t they also resign the data with the same key?
... they submit sensitive info over HTTPS, which is encrypted and stored in a database,
HTTPS only encrypts data in transit. This means the server as the endpoint of the HTTPS connection is also the endpoint of the encryption done by HTTPS and thus has access to the plain data. It also means that the data in the database are not encrypted due to HTTPS. Instead the plain data need to be encrypted again by a key known to the server. The alternative would be to encrypt the data on the client with a key only known to the client (and kept on the client side) in which case the server would have no access to the data, no matter if HTTPS is used or not.
In any way encrypted data should be protected against manipulation so that decryption should fail if something was changed on the encrypted data instead of returning different data. Some encryption algorithms provide this itself while in others an additional MAC is required. A MAC is not a signature and does not need a private key of the client.
A signature is only needed if you not only want to protect against data manipulation but also need a proof that the data where provided by a specific client. HTTPS does not help here, this signature need to be done instead on the client side with a private key only known to the client. Note that a signature does not need to imply encryption, i.e. it is possible that the server has access to the unencrypted data but gets only a client-generated signature which provides proof of who provided the data.
Answered by Steffen Ullrich on October 28, 2021
Get help from others!
Recent Questions
Recent Answers
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP