I should add another varible to the problem. Data is important if it has a
time of execution. If you know what is encryped after if has been done or
have no time to do something it is useless.
Of course you can get some knowledge about the encryption.
Sometimes, analyzing text you can understand and know the names.
If you would like 100% security, there is only one method available and thi=
s
is One Time Key. All other encryption methods are vulnerable and is a matte=
r
of computing time to break the code.

Rodolfo

-----Mensaje original-----
De: piclist-bounces@mit.edu [mailto:piclist-bounces@mit.edu]En nombre de
Herbert Graf
Enviado el: Miercoles, 27 de Junio de 2012 01:00 p.m.
Para: Microcontroller discussion list - Public.
Asunto: Re: [OT] Database encryption


On Wed, 2012-06-27 at 08:59 -0400, V G wrote:
> >
> No one's inventing encryption systems. I'm making use of standard AES
> encryption and choosing what gets encrypted and what doesn't.
>
> The data itself doesn't really matter. The important part is WHO the data
> belongs to - the names. If the names themselves can't be deciphered, then
> it should be good enough. What data is related to the names doesn't
matter.
> The whole thing can be looked at as a key-value database with the key
being
> names and the value being a bunch of numbers/blob text/etc. The value
> itself is meaningless.
>
> Example data: smokes, has cancer, enlarged left atrium, is an electrical
> engineer.
>
> That data in itself is useless. This isn't some secret government
> organization thing, so no one really cares about it in the first place,
nor
> is anyone targeting it, nor would anyone spend any time trying to get it.
> I'm just being over cautious about this whole thing by nature.

OMG, are you being serious here?

This is MEDICAL data you are talking about.

"Smokes, has cancer, is an electrical engineer". If your DB got out,
with this sort of stuff available you would be in ALOT of trouble.

Maybe data like that doesn't matter much to you, but how about the
person it DOES belong to? Even without names (which doesn't say much due
to how easy it often is to associate "annonymized" data with names) this
is NOT the kind of data to be treated in such a half hazard way.

I really think you need to consult someone who's familiar with what's
legally required as to the safe guarding of confidential medical data. I
think you will find that "removing the names" is not for one second
considered good enough.

TTYL

--
http://www.piclist.com PIC/SX FAQ & list archive
View/change your membership options at
http://mailman.mit.edu/mailman/listinfo/piclist


-----
No virus found in this message.
Checked by AVG - www.avg.com
Version: 2012.0.1913 / Virus Database: 2437/5096 - Release Date: 06/27/12

--=20
http://www.piclist.com PIC/SX FAQ & list archive
View/change your membership options at
http://mailman.mit.edu/mailman/listinfo/piclist
.