Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: RE: key storage

RE: key storage

From: Ajay <abra9823_at_mail.usyd.edu.au>
Date: Mon, 30 Aug 2004 23:28:45 +1000

yup, thats the idea. do you see any problems with it

cheers

Quoting "Brown, James F." <James.F.Brown_at_FMR.com>:

> You're going to use the SHA-1 hash of the passphrase as the actual key
> for the symmetric encryption, right?
>
> ================================
> James F. Brown CISM, CISA
> Sr. Director, Information Security
> Fidelity Investments
> james.f.brown_at_fmr.com
> http://www.fidelity.com
>
>
> -----Original Message-----
> From: Ajay [mailto:abra9823_at_mail.usyd.edu.au]
> Sent: Saturday, August 28, 2004 12:25 AM
> To: Brown, James F.
> Cc: George Capehart; webappsec_at_securityfocus.com
> Subject: RE: key storage
>
>
> thanks.
> from responses on other mailing lists, i am moving towards the idea of
> having some sort of proxy server application which at startup is
> supplied
> a passphrase. it uses the passphrase to decrypt a passphrase encrypted
> file and loads keys from there. the file itself can be removed then
> my main application can then query the proxy when it needs the keys.
> ofcourse this introduces the problem of securing the exchange between
> the
> main and the proxy.
> the reason i have the proxy in the first place is because my main app is
> a
> bunch of cgi scripts where state is stored by only writing to a file and
> i
> do not have access to the webserver where the application is hosted.
> it will all be remarkable slow though...
>
> cheers
>
> --
> Ajay Brar,
>
> Quoting "Brown, James F." <James.F.Brown_at_FMR.com>:
>
> > Chapter 8 in Applied Cryptography only discussed key storage in areas
> > where users are involved. If you have an server application that uses
> > crypto with no users involved, it doesn't offer much help. I'll check
> > Bruce's newer book "Practical Cryptography" to see if he's addressed
> > that topic, but I won't be able to report on it until Monday.
> >
> > ================================
> > James F. Brown CISM, CISA
> > Sr. Director, Information Security
> > Fidelity Investments
> > james.f.brown_at_fmr.com
> > http://www.fidelity.com
> >
> >
> > -----Original Message-----
> > From: George Capehart [mailto:gwc_at_acm.org]
> > Sent: Thursday, August 26, 2004 1:41 PM
> > To: webappsec_at_securityfocus.com
> > Subject: Re: key storage
> >
> >
> > On Wednesday 25 August 2004 21:12, Ajay allegedly wrote:
> > > and also is there any significant paper on key storage - a journal
> or
> > > conference paper?
> > > its for my thesis and it would be nice if i could quote a the
> > > findings of some paper
> >
> > Ajay,
> >
> > There has been *lots* written about key storage. It's a pretty
> > important topic . . . :> Google is your friend. A great place to
> > start, though is Chapter 8 (Key Management) in _Applied_Cryptology
> > (ISBN 0-471-11709-9) by Bruce Schneier.
> >
> > Cheers,
> >
> > George Capehart
> > --
> > George W. Capehart
> >
> > Key fingerprint: 3145 104D 9579 26DA DBC7 CDD0 9AE1 8C9C DD70 34EA
> >
> > "With sufficient thrust, pigs fly just fine." -- RFC 1925
> >
> >
> >
>
>
> ----------------------------------------------------------------
> This message was sent using IMP, the Internet Messaging Program.
>
>

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
Received on Aug 31 2004

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos