Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: RE: Securing encrypted data in RAM vs MSSQL

RE: Securing encrypted data in RAM vs MSSQL

From: Bénoni MARTIN <Benoni.MARTIN_at_libertis.ga>
Date: Thu, 1 Jul 2004 18:19:25 +0100

Well, there is always a way to recover the real password or login from a hash...the matter's is the time it will take!

The method to "dehash" a hash is quite simple: as theorically a hash_1 can be produced by a single pass_1/login_1/..., we can create a huge amount of random pass_2/logins_2/..., hash them with MD5/SHA-1/... and then compare each of them with our hash_1. ASA the two hashes are the same, we can pick up the pass/login/... which produced hash_2. Quite simple but really long to perform.

BTW, Cain & Abel, John the Ripper and Crack can perform such recoveries... :)

-----Message d'origine-----
De : Toro, Daniel [mailto:tcvx_at_taconvino.cl]
Envoyé : jeudi 1 juillet 2004 17:33
À : Stan Guzik; Dave Andrews; webappsec_at_securityfocus.com; forensics_at_securityfocus.com
Objet : Re: Securing encrypted data in RAM vs MSSQL

Related to point 3.A below: Is it really necessary to delete the data if it's encrypted with a one-way encryption algo like MD5? There's no way to recover data from the message digest produced by MD5 that I know of. Of course, I don't know everithing. :-)

On Thu, 1 Jul 2004 09:24:55 -0400, Stan Guzik <SGuzik_at_ImmediaTech.com>
wrote:

> See reply below.
>
> Good Luck,
> Stan
>
> -----Original Message-----
> From: Dave Andrews [mailto:dave_at_pint.com]
> Sent: Wednesday, June 30, 2004 8:52 PM
> To: webappsec_at_securityfocus.com; forensics_at_securityfocus.com
> Subject: Securing encrypted data in RAM vs MSSQL
>
> Hello All,
>
> Is anyone aware of a way to store encrypted sensitive data in RAM for
> access via a web application using ASP?
>
> 1) You can create an ActiveX EXE that will remain in memory. When the
> web application loads instantiate the ActiveX EXE and access it like
> any other dll.
>
>
> It would be posted in the same
> manner.
> Is storing in RAM preferable to using an encrypted database, in this
> case SQL 2000?
>
> 2) It depends on the application and network environment. This is a
> difficult question to answer not knowing more details.
>
> Is there anyway to securely delete or timeout the data after a certain
> period of time?
>
> 3) A. If you store the data in memory you can kill the instance of the
> object and the memory will be released. Depending on the type of RAM
> you have the data may or may nor remain on the chip for a short period
> of time.
>
> B. I'm not sure how to easily delete data from a SQL Server DB and
> not have it recovered by a forensics tool. A difficult way of doing
> it is to compact the SQL Server DB which will shrink the DB file size
> and then use PGP Freespace Wipe to permanently delete any residual data on the
> hard drive. This is a good question, anybody know of a better way?
>
> C. PGP Wipe is a good tool with API support to delete files so a
> forensics tool can't recover the data.
>
> If you discard the data are there potential problems with California
> SB
> 1386 and being able to track intrusions and possible data compromise?
>
> I'm not a developer, but want a better solution than what the
> developers and client have proposed.
>
> Thanks in advance
> Dave Andrews
> PINT, Inc
> 2105 Garnet Ave. Suite E
> San Diego, CA 92109
> TEL 858.270.2086
> FAX 858.270.0410 

--
TCV
Received on Jul 01 2004
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]