Hi,
I'm building a system that need to collect some user sensitive data via secured web connection, store it securely on the server for later automated decryption and reuse. System should also allow user to view some part of the secured data (e.g., *****ze
) and/or change it completely via web. System should provide reasonable level of security.
I was thinking of the following infrastructure:
App (Web) Server 1
Web server with proper TLS support for secured web connections.
Use public-key algorithm (e.g. RSA) to encrypt entered user sensitive data and send it to App Server 2 via one-way outbound secured channel (e.g. ssh-2) without storing it anywhere on either App Server 1 or DB Server 1.
Use user-password-dependent symmetric-key algorithm to encrypt some part of the entered data (e.g. last few letters/digits) and store it on the DB Server 1 for later retrieval by App Server 1 during user web session.
Re-use step 2 for data modification by user via web.
DB Server 1
- Store unsecured non-sensitive user data.
- Store some part of the sensitive user data encrypted on App Server 1 (see step 3 above)
App Server 2
- Do NOT EVER send anything TO App Server 1 or DB Server 1.
- Receive encrypted user sensitive data from App Server 1 and store it in DB Server 2.
- Retrieve encrypted user sensitive data from DB Server 2 according to the local schedules, decrypt it using private key (see App Server 1, step 2) stored locally on App Server 2 with proper key management.
DB Server 2
- Store encrypted user sensitive data (see App Server 2, step 2)
If either App (Web) Server 1 or DB Server 1 or both are compromised then attacker will not be able to get any user sensitive data (either encrypted or not). All attacker will have is access to public-key and encryption algorithms which are well known anyway. Attacker will however be able to modify web-server to get currently logged users passwords in plaintext and decrypt part of user sensitive data stored in DB Server 1 (see App Server 1, step 3) which I don't consider as a big deal. Attacker will be able to (via code modification) also intercept user sensitive data entered by users via web during potential attack. Later I consider as a higher risk, but provided that it is hard (is it?) for attacker to modify code without someone noticing I guess I shouldn't worry much about it.
If App Server 2 and private key are compromised then attacker will have access to everything, but App Server 2 or DB Server 2 are not web facing so it shouldn't be a problem.
How secure is this architecture? Is my understanding of how encryption algorithms and secured protocols work correct?
Thank you!