Obfuscate legi number in database

Created by: fubu

For privacy reasons the matriculation (legi) number is not supposed to be used together with the N.ETHZ name. (See for example the exam results for Basis/Block exams in front of the department office)

At AMIV, we used to collect the matriculation number along with the N.ETHZ name for signups for a long time now (but without any validation). We never really needed it, except for when scanning the barcode on the legi card (which encodes the matriculation number), e.g. in the GV tool. This is always one-way: Having a legi number, determine the user (not even the N.ETHZ) behind it. Does anyone have a reasonable use case for the opposite direction?

My Proposal: Obfuscate the legi number inside our database in some way (treat it like a password).

1. It prevents ordinary users from seeing/spying on other users, even accidentally when browsing through the user table.
2. It can add an additional layer of (data) security: When an attacker gains access to the database only, he does not get the nethz<->legi mapping for free.
3. It does not really hurt our API: The legi->nethz lookups are not so common.

For the obfuscation mechanism: My first idea was to use off-the-shelf encryption (e.g. AES) with a application-wide password loaded from the configuration (which needs to be protected from being readable to other users on the ISG servers anyways!). There might be better approaches (maybe PBKDF2?), but first: What is your opinion?

(Please consider that we open-sourced this, and people might use this software without thinking about such things - I think it's worth it to go this extra mile for future users.)