My question is how should these be stored on the server?
It really depends on what services you are providing. I.e. for
finical, security, government or other high risk/high security
application you might want to have a CA providing the certificate/keys
for the encryption and decryption. If you are just providing
basic services storing the keys locally on the box in a secured
portion of the system you can easily mitigate the risks down to
an acceptable level. If this is a window box (server) you can
utilize Microsoft's key storage and localized encryption systems
(i.e. DPAPI) to protect your keys on disk and in memory.
encryption is the best solution, but if I encrypt them with
another key, the question is where does this key get stored?
On a CA, trusted host or locally on the box. The performance
implications
on your application are pretty bad if you encrypt your encryption and
then
make multiple calls to the data. For which is has to decrypt twice
before
it can use the data.
All in all, putting your keys in a directory outside of any web
accessible
portion of the box and assigning the correct ACL's to that directory
will
usually sufficiently protect that data.
Shawn Jackson
Systems Administrator
Horizon USA
1190 Trademark Dr #107
Reno NV 89521
www.horizonusa.com
Email: sjackson@horizonusa.com
Phone: (775) 858-2338
(800) 325-1199 x338
Fax: (775) 858-2330
---------------------------------------------------------------------------
Computer Forensics Training at the InfoSec Institute. All of our class sizes
are guaranteed to be 12 students or less to facilitate one-on-one
interaction with one of our expert instructors. Gain the in-demand skills of
a certified computer examiner, learn to recover trace data left behind by
fraud, theft, and cybercrime perpetrators. Discover the source of computer
crime and abuse so that it never happens again.
http://www.infosecinstitute.com/courses/computer_forensics_training.html
----------------------------------------------------------------------------
