Encrypt username, profile

matt7101 · August 26, 2017, 4:26pm

Hi,

I have a requirement to obfuscate the real identity of users in the mongo database. Other collections’ relevant data is already encrypted. The commercial mongodb choice, which would provide an encrypted database engine, is not an option.

Is there a way to encrypt ‘username’, ‘profile’ and maybe more fields in the MongoDB’s users collection?

Can Meteor’s Accounts Package be made to do that for me?

Could matb33:meteor-collection hooks be used to encrypt these (possible nested) fields on the fly?

Thanks,
matt

raphaelarias · August 26, 2017, 5:03pm

You may want to check how they do that: https://github.com/fractal-code/mylar

SkyRooms · August 26, 2017, 7:05pm

Any JS Encryption library would work. You could even look at how Bitcoin encrypts data. Here’s a google search for JS Encryption:

So you basically store a ‘private key’ some where on your website that runs checks against the data you’ll encrypt.

In PHP, it looks as such:

if( $submit_password == md5($user_password){

You can then encrypt all other data to store, like this:

$db->save( md5($username), md5($favorite_color));

And to retrieve it, you would need the private key or hash that encrypted it in the first place, which you must have SUPER secure on your server. If I find that key, I can unencrypt your data.

$db->get( un_md5($username));

This is all psudo code of course. But that’s the process. Good luck!

martineboh · August 26, 2017, 7:24pm

Also this: Handling front-end encryption using OpenPGP. You can always apply this implementation to the backend.

SkyRooms · August 27, 2017, 5:20pm

Yep! This. Do this. This is the thing I was trying to explain given to you ez street.

martineboh · August 28, 2017, 7:37pm

Another nice tool is JOSE from Cisco. JOSE, the JSON Object Signing and Encryption standard, solves this issue by giving you a formal mechanism to create two-way encrypted tokens. The main JOSE library for Node is made by Cisco and is called node-jose. The Node-Jose library is also quite simple to use, but the docs assume you’ve digested the entire JOSE spec first.

If you find yourself struggling with the doc like me, Dave Sag wrote this blog post about using Node-Jose on codeburst. Dave found the Node Jose docs confusing, there is a lack of JOSE code examples online, and very few people seem to use it, instead mistakenly assuming that JWTs are actually secure.