2

I am developing an application in php/MySql and looking for the best approach from a security standpoint. The application will use and store sensitive information. I realize there are risks to all approaches, but I need the best possible approach that will minimize security risks of the sensitive information with this application.

Here is the foundation of the application:

1) Entire application runs with https and php 7.

2) User registers for an account at register.php and passwords is hashed password_hash and Password_BCRYPT during registration.

3) User logs into the web application via login.php

4) Once logged in, user visits manage credentials page (manage-accounts.php) and on a web from enters url, user name and password for third-party websites (basically like a password manager).

5) Next user visits manage-customer.php page and enters sensitive customer information that includes ssn#.

6) Lastly user visits submit-customer.php page.

  • On this page the user selects one of the third-party websites entered in step 4 and a customer entered in step 5 and hits submit.
  • Upon submitting the php script, it will iframe the selected third-party website (third-party website uses https).
  • It will automatically log the user into the third-party website (with credentials from step 4). It will autofill sensitive customer information to the third-party https web form (with customer information from step 5). iii. It will submit the third-party webform.

Here are my questions:

1) For a system like this, what encryption/security methodology is considered best practice to maximize security of the sensitive information that is stored in step 4 and 5?

  • I am not looking to create my own encryption. I’d like to use an existing proven framework.

2) What is most secure way to transmit the information from step 4 and 5 to a third-party website via the iframed web form?

3) Is it better to store the sensitive information entered in step 4 and 5 on the server or on the client? If on the client exactly how should this be done?

user1609391
  • 129
  • 5

1 Answers1

1

The full scope of this question is huge (several aspects of secure application design). I'm not sure a simple Q&A here will suffice.

Given the seriousness of what you're attempting, you should get a strong AppSec pro into your team and consider a holistic approach that includes threat modeling, secure design, secure coding principles, security testing and verification.

I'll attempt short answers for pointed questions - with the disclaimer that AppSec pundits are still debating some of these, especially as some of the answers are "evolving" (e.g., secure credential storage - some discussions around favoring K12 and Blake2 over PBKDF2/ bcyrpt / scrypt).

This was not a question but:

  1. User registers for an account at register.php and passwords is hashed password_hash and Password_BCRYPT during registration.

Please make sure you're using a sizeable random salt. See this old discussion on hash and salt size for some understanding. OWASP has a decent and recent guide for this here. Note that the 2013 discussions were about 64 and 128 bit salt. OWASP mentions 64 byte (not bits) salt. Also recommended are keyed functions - not just simple hashing.

Finally, you mentioned "basically like a password manager." That complicates matters a bit. You will want to leave the user in control - with at least a reasonable assurance that part of the keys to the kingdom are locked away in their brain or their system. The usual method for this is that the user's master key (password) is not stored anywhere (not even on the local system) but is used to derive the key(s) used for password storage.

Now for your questions:

  1. For a system like this, what encryption/security methodology is considered best practice to maximize security of the sensitive information that is stored in step 4 and 5?

Sorry, no short answer for this question.

This system would need a comprehensive threat modeling + a privacy as well as security design from ground-up. It is good that you started off quite well - but please don't underestimate the tasks at hand. OWASP has guides for most parts, though people with deep expertise have been known to diss some areas (usually on the count that "it's not perfect" ... which, I consider a pedantic objection).

  1. What is most secure way to transmit the information from step 4 and 5 to a third-party website via the iframed web form?

As a security-conscious user I don't trust iframes. I don't recommend them to users. If what you're doing is akin to a password manager functionality - I suggest you explore alternatives.

  1. Is it better to store the sensitive information entered in step 4 and 5 on the server or on the client? If on the client exactly how should this be done?

Please see a previous para where I mentioned master key (password).

If you follow that advice, then you should store the per-user hashed-stash of passwords on your server. There is no real (technical) advantage of storing properly hashed/encrypted passwords on the user's system where it can easily be wiped out for a number of reasons.

schroeder
  • 125,553
  • 55
  • 289
  • 326
Sas3
  • 2,648
  • 9
  • 20