Network Security: Detailed info on RE: secure storage of sensitive data in J2EE

Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.

Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.

Network Security SecProg

[Top] [All Lists]

RE: secure storage of sensitive data in J2EE

from [Alexander Klimov] Network Security

[Permanent Link]

Subject:	RE: secure storage of sensitive data in J2EE
Date:	Mon, 31 Jan 2005 11:01:09 +0200 (IST)

On Mon, 31 Jan 2005, Erez Metula wrote:

I think that the issue here is sensitive information stored on the
server side like connection strings, encryption keys and such. You
can't ask the user to enter a password for this kind of information.
Storing this information in a file in cleartext, won't protect this
information from someone who has access to the server, for example a
legitimate (malicious) admin user or a hacker who had managed to
break into the system.


It is not worth worring about malicious admins: he can add a keylogger
to get the password, he can change the app to send him secret keys,
etc. You have to trust[*] your admin at least on systems where admin
can do everything (Note that in many cases even if it seems that admin
can't do everything (as, e.g., on windows) in fact he can)

[*] "In the US Department of Defense, a `trusted system or component'
is defined as `one which can break the security policy'"

-- 
Regards,
ASK

[More with this subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
secure storage of sensitive data in J2EE, chaim moshe Re: secure storage of sensitive data in J2EE, Alexander Klimov RE: secure storage of sensitive data in J2EE, Erez Metula RE: secure storage of sensitive data in J2EE, Alexander Klimov <= RE: secure storage of sensitive data in J2EE, Jaime Spicciati Re: secure storage of sensitive data in J2EE, Valdis . Kletnieks Re: secure storage of sensitive data in J2EE, Sean Radford Re: secure storage of sensitive data in J2EE, Luciano R. de Albuquerque SV: secure storage of sensitive data in J2EE, Daniel Susid Re: secure storage of sensitive data in J2EE, Steve Taylor RE: secure storage of sensitive data in J2EE, Scovetta, Michael V

Previous by Date:	RE: secure storage of sensitive data in J2EE, Erez Metula
Next by Date:	RE: secure storage of sensitive data in J2EE, Jaime Spicciati
Previous by Thread:	RE: secure storage of sensitive data in J2EE, Erez Metula
Next by Thread:	RE: secure storage of sensitive data in J2EE, Jaime Spicciati
Indexes:	[Date] [Thread] [Top] [All Lists]