Building secure applications Professional

The level of encryption-security solely depends on the key. But is not only a matter of how the key is generated, or how long the key is. It is almost more important how keys are used and managed in the real world.

Imagine a simple address table that is used by multiple persons. Each person needs a key to be able to use the address table. If every person would use the same key, it would not be a real secret any longer. In the worst case, if one of the person quits the job, the administrator would need to reissue new keys, additionally decrypt the data using the old key, and then encrypt the data using the new key.

A far better way to use encryption on database systems is the strict separation of keys used to physically encrypt tables, these keys should be maintained by the application and are typically hidden to the user. And keys/passwords to manage user authentification and restrict access to data and functionality based on users role and privileges. The database tables used to store privileges and user roles should be encrypted with a different key than the rest of the application tables.

Before developing secure applications, it is recommended to read a good book about cryptology, like "Applied Cryptology" by Bruce Schneier, published by Addison-Wesley and John Wiley & Sons.