*** Please send response to openhealth mailing list. I am unable
to control the "Reply To" field through my webmail account. ***
On Sun, 22 Apr 2001 23:05:59 Horst Herb wrote:
...
>> (Pls note that I'm NOT asking about systems that would also satisfy all
>> kinds of legal requirements etc - the crucial target is to protect patient
>> data against e.g. theft of PCs).
>
>Yep. You can use Peter Gutmans cryptlib, or Wei Deis crypto++ library, or
>use the gnu privacy guard.
...
Hi Horst,
It would be informative if you can discuss the relevant performance and security
differences between using these crypto libraries vs. encrypted file systems? It seems
that the loop-back encrypted file system is integrated with the Linux kernel and has
some performance advantages. (It is also as secure as root access.)
>However, the sql server should be completely oblivious about the crypto
>stuff for your purposes.
This means you must use client-side crypto or encrypted file system.
If you send plain-text + key to the "sql server" and call external crypto routine from
within the DBMS, then it will not be "oblivious" to the crypto stuff :-).
>It is the clients who do the encryptions /
>decryption, then you don't have to worry about the data transport between
>client and server.
But then you will have key sharing problems if the data is to be retrievable by more
than one person. If you decide to store the key on the workstation, then you will have
to worry about key management/security problem there in addition.
>I highly recommend crypto++ or the gnu privacy guard for
>this purpose.
How do they/you propose to deal with the key management problem? I am not talking
about complying with any regulation at all here. As you know, any crypto system is
only as secure as the security of its keys :-(.
Best regards,
Andrew
---
Andrew P. Ho, M.D.
OIO: Open Infrastructure for Outcomes
www.TxOutcome.Org
Assistant Clinical Professor
Department of Psychiatry, Harbor-UCLA Medical Center
University of California, Los Angeles
Join 18 million Eudora users by signing up for a free Eudora Web-Mail account at
http://www.eudoramail.com
