Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: key storage

From: "Shawn Jackson" <sjackson () horizonusa com>
Date: Mon, 30 Aug 2004 09:26:29 -0700
My question is how should these be stored on the server?


It really depends on what services you are providing. I.e. for 
finical, security, government or other high risk/high security 
application you might want to have a CA providing the certificate/keys 
for the encryption and decryption. If you are just providing 
basic services storing the keys locally on the box in a secured 
portion of the system you can easily mitigate the risks down to 
an acceptable level. If this is a window box (server) you can 
utilize Microsoft's key storage and localized encryption systems 
(i.e. DPAPI) to protect your keys on disk and in memory.


encryption is the best solution, but if I encrypt them with 
another key, the question is where does this key get stored?


On a CA, trusted host or locally on the box. The performance
implications
on your application are pretty bad if you encrypt your encryption and
then
make multiple calls to the data. For which is has to decrypt twice
before 
it can use the data.

All in all, putting your keys in a directory outside of any web
accessible 
portion of the box and assigning the correct ACL's to that directory
will 
usually sufficiently protect that data.

Shawn Jackson
Systems Administrator
Horizon USA
1190 Trademark Dr #107
Reno NV 89521

www.horizonusa.com
Email: sjackson () horizonusa com
Phone: (775) 858-2338
       (800) 325-1199 x338
Fax:   (775) 858-2330

---------------------------------------------------------------------------
Computer Forensics Training at the InfoSec Institute. All of our class sizes
are guaranteed to be 12 students or less to facilitate one-on-one
interaction with one of our expert instructors. Gain the in-demand skills of
a certified computer examiner, learn to recover trace data left behind by
fraud, theft, and cybercrime perpetrators. Discover the source of computer
crime and abuse so that it never happens again.

http://www.infosecinstitute.com/courses/computer_forensics_training.html
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: