On Jun 27, 2012, at 5:59 AM, V G wrote:

> No one's inventing encryption systems. I'm making use of standard AES
> encryption and choosing what gets encrypted and what doesn't.

AES is an encryption algorithm.  Actually, it's only PART of an encryption =
algorithm, telling us how to encrypt ONE 128bit data block with a 256bit ke=
y.  The "encryption system" involves a lot more (like how to encrypt more t=
han 128bits of data!)  Each of the other pieces of the "system" (which you =
are inventing?) presents ample opportunities to screw things up.  (for inst=
ance, don't forget to encrypt any non-random nonce before passing it as ive=
c to AES_cbc_encrypt() (in OpenSSL))

Now, it's probably the case that no one really cares about your database, a=
nd all you really need to do is meet some 'standard' of privacy that may or=
 may not be what a cryptography expert considers "secure", and you'll be fi=
ne=85  And it's possible that the legal requirements are less secure than y=
our mechanism would be, but still won't allow it.  Don't forget that there =
are people who make entire careers out of advising companies how to meet le=
gal privacy requirements.

BillW


--=20
http://www.piclist.com PIC/SX FAQ & list archive
View/change your membership options at
http://mailman.mit.edu/mailman/listinfo/piclist
.