Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: key storage

from [Brown, James F.] Network Security [Permanent Link]
Subject: RE: key storage
Date: Mon, 30 Aug 2004 10:00:52 -0400 
No problem. That's the "best practice", I believe.

- Jim

-----Original Message-----
From: Ajay [mailto:abra9823@mail.usyd.edu.au] 
Sent: Monday, August 30, 2004 9:29 AM
To: Brown, James F.
Cc: webappsec@securityfocus.com
Subject: RE: key storage


yup, thats the idea. do you see any problems with it

cheers


Quoting "Brown, James F." <James.F.Brown@FMR.com>:


You're going to use the SHA-1 hash of the passphrase as the actual key
for the symmetric encryption, right?

================================
James F. Brown  CISM, CISA
Sr. Director, Information Security
Fidelity Investments
james.f.brown@fmr.com
http://www.fidelity.com


-----Original Message-----
From: Ajay [mailto:abra9823@mail.usyd.edu.au]
Sent: Saturday, August 28, 2004 12:25 AM
To: Brown, James F.
Cc: George Capehart; webappsec@securityfocus.com
Subject: RE: key storage


thanks.
from responses on other mailing lists, i am moving towards the idea of
having some sort of proxy server application which at startup is
supplied
a passphrase. it uses the passphrase to decrypt a passphrase encrypted
file and loads keys from there. the file itself can be removed then
my main application can then query the proxy when it needs the keys.
ofcourse this introduces the problem of securing the exchange between
the
main and the proxy.
the reason i have the proxy in the first place is because my main app

is

a
bunch of cgi scripts where state is stored by only writing to a file

and

i
do not have access to the webserver where the application is hosted.
it will all be remarkable slow though...

cheers

--
Ajay Brar,

Quoting "Brown, James F." <James.F.Brown@FMR.com>:


Chapter 8 in Applied Cryptography only discussed key storage in

areas

where users are involved. If you have an server application that

uses

crypto with no users involved, it doesn't offer much help. I'll

check

Bruce's newer book "Practical Cryptography" to see if he's addressed
that topic, but I won't be able to report on it until Monday.

================================
James F. Brown  CISM, CISA
Sr. Director, Information Security
Fidelity Investments
james.f.brown@fmr.com
http://www.fidelity.com


-----Original Message-----
From: George Capehart [mailto:gwc@acm.org]
Sent: Thursday, August 26, 2004 1:41 PM
To: webappsec@securityfocus.com
Subject: Re: key storage


On Wednesday 25 August 2004 21:12, Ajay allegedly wrote:

and also is there any significant paper on key storage - a journal

or

conference paper?
its for my thesis and it would be nice if i could quote a the
findings of some paper


Ajay,

There has been *lots* written about key storage.  It's a pretty
important topic . . . :>  Google is your friend.  A great place to
start, though is Chapter 8 (Key Management) in _Applied_Cryptology
(ISBN 0-471-11709-9) by Bruce Schneier.

Cheers,

George Capehart
--
George W. Capehart

Key fingerprint:  3145 104D 9579 26DA DBC7  CDD0 9AE1 8C9C DD70 34EA

"With sufficient thrust, pigs fly just fine."  -- RFC 1925






----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.





----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  The ever encroaching blur between web apps and apps, Mark Curphey
Next by Date:  Re: ASP authentication, Ido Mordechai Rosen
Previous by Thread:  RE: key storage, Ajay
Next by Thread:  RE: key storage, Ajay
Indexes:  [Date] [Thread] [Top] [All Lists]