0

I'm developing one site, my dates are encrypted in AES-256-OFB with functions of MySql, in this way I encrypt and decrypt in End To End, right?

If it is true, how resolve attack by Middle Man, in addition to using SSL? Are there any encryptions for this?

Explain me all. I know next to nothing about security. Help me. Thanks To all.

Roham Rafii
  • 2,929
  • 7
  • 35
  • 49
Hsrtick
  • 9
  • 4
  • You're heading for a world of pain if you start encrypting the data you insert into the database rather than using an encrypted filesystem – symcbean Sep 23 '15 at 23:08
  • TLS is mentioned below; use that. If you are just curious by what mechanism MITM is foiled, an easy way is by proper use of a message authentication code or MAC. See the problem with OFB alone is that a pseudorandom stream is XOR'd with plaintext. If the MITM wants to change the last block and knows the plaintext, he can XOR the crypto with that plaintext and XOR again with his own plaintext. Then it will decrypt without error to say whatever he wants it to say. The MAC would reveal the alteration. But just use TLS for practical applications. – WDS Sep 24 '15 at 00:49
  • @WDS For you what is the best mode for aes 256 (ecb,cbc,cfb1,cfb8,cfb128,ofb)? – Hsrtick Sep 26 '15 at 16:06
  • @symcbean What do you meen? – Hsrtick Sep 26 '15 at 16:07
  • No range queries, no partial matching, no sorting, limit on what you can do in procedures without injecting the encryption key (which rather defeats the purpose of encrypting).... – symcbean Sep 26 '15 at 23:18

1 Answers1

1

TLS already protects against man-in-the-middle attacks (within the transport protocol). If you apply it correctly, you should be safe against them.

Maarten Bodewes
  • 90,524
  • 13
  • 150
  • 263