Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos

Security Basics: RE: Encryption Key Question

RE: Encryption Key Question

From: blind_chipmunk <blind_chipmunk_at_HotPOP.com>
Date: Mon, 28 Feb 2005 22:12:03 -0800

one way to do it is to use the SID of the machine\user.

the SID is a unique identifier which created while installing the OS, and
also per user.
MSN is using the SID to encrypt the address book of its MSN client.
until now, I've only seen a local attack on that encryption (can only be
decipher on that specific machine with that specific user logged in).

can this be of any assistant?

-----Original Message-----
From: David Heise [mailto:dheise_at_gmail.com]
Sent: Monday, February 28, 2005 10:22 AM
To: gillettdavid_at_fhda.edu
Cc: security-basics_at_securityfocus.com
Subject: Re: Encryption Key Question

For the specific application that I'm doing, the individual security
of each customer's location isn't really an issue since this is one
minor level of security of the overall application. What are the other
problems with this approach? Or better yet, what is a better approach
that does NOT rely on the user suppling credentials (req), but can be
encoded into the application itself (software only).

On Mon, 28 Feb 2005 09:19:44 -0800, David Gillett <gillettdavid_at_fhda.edu>
wrote:
> Hard coding encryption keys into applications is *extremely* poor
> practice. The possibility of extracting the key from the binary is
> only one of the problems with this approach.
> We have an application here which is coded that way. One of my
> concerns has to be that every copy of this application at every
> customer site uses exactly the same hard-coded key, so the security
> of our data can never be much more than that of the application's
> LEAST secure customer site.
>
> David Gillett
>
>
> > -----Original Message-----
> > From: David Heise [mailto:dheise_at_gmail.com]
> > Sent: Friday, February 25, 2005 4:57 PM
> > To: security-basics_at_securityfocus.com
> > Subject: Encryption Key Question
> >
> >
> > I have a situation which seems to be an endless loop but maybe someone
> > out here can help me. I'm using SHA-256 has my hash function and AES
> > as the encryption method. I have a byte array of data and a string
> > that is the passphrase (currently the string is 306 characters long).
> > I hash the passphrase and use it to encrypt the data. Since I'm
> > writing this as part of an application I want to hardcode the
> > passphrase into the application, however as a string it would be
> > fairly simple to find it in the complied code.
> >
> > Here's my question:
> > What is the best method of storing this passphrase internally in the
> > application such that it would be as secure as possible?
> >
> >
> >
> > Unrelated Question:
> > Is there any security hole in using the data as the key? (other than
> > it makes it hard/impossible to get it back out)
> >
> >
> > Thanks
> > --
> > David B Heise [dheise_at_gmail.com]
> > http://students.cs.byu.edu/~dheise
> >
> 

--
David B Heise [dheise_at_gmail.com]
http://endofuniverse.blogspot.com      Personal Blog
http://students.cs.byu.edu/~dheise    Personal Web
http://www.stonetempest.com           Company
Received on Mar 01 2005
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]