Encrypt username, profile


#1

Hi,

I have a requirement to obfuscate the real identity of users in the mongo database. Other collections’ relevant data is already encrypted. The commercial mongodb choice, which would provide an encrypted database engine, is not an option.

Is there a way to encrypt ‘username’, ‘profile’ and maybe more fields in the MongoDB’s users collection?

Can Meteor’s Accounts Package be made to do that for me?

Could matb33:meteor-collection hooks be used to encrypt these (possible nested) fields on the fly?

Thanks,
matt


#2

You may want to check how they do that: https://github.com/fractal-code/mylar


#3

Any JS Encryption library would work. You could even look at how Bitcoin encrypts data. Here’s a google search for JS Encryption:

So you basically store a ‘private key’ some where on your website that runs checks against the data you’ll encrypt.

In PHP, it looks as such:

if( $submit_password == md5($user_password){

You can then encrypt all other data to store, like this:

$db->save( md5($username), md5($favorite_color));

And to retrieve it, you would need the private key or hash that encrypted it in the first place, which you must have SUPER secure on your server. If I find that key, I can unencrypt your data.

$db->get( un_md5($username));

This is all psudo code of course. But that’s the process. Good luck!


#4

Also this: Handling front-end encryption using OpenPGP. You can always apply this implementation to the backend.


#5

Yep! This. Do this. This is the thing I was trying to explain given to you ez street.


#6

Another nice tool is JOSE from Cisco. JOSE, the JSON Object Signing and Encryption standard, solves this issue by giving you a formal mechanism to create two-way encrypted tokens. The main JOSE library for Node is made by Cisco and is called node-jose. The Node-Jose library is also quite simple to use, but the docs assume you’ve digested the entire JOSE spec first.

If you find yourself struggling with the doc like me, Dave Sag wrote this blog post about using Node-Jose on codeburst. Dave found the Node Jose docs confusing, there is a lack of JOSE code examples online, and very few people seem to use it, instead mistakenly assuming that JWTs are actually secure.