RE: key storage

From: Andrew Tucker (atucker_at_windows.microsoft.com)
Date: 08/27/04

Next message: edwin_at_link.net.id: "Re: User Activity Monitoring"

Previous message: Mark Reis: "Re: educating rDNS violators"
Maybe in reply to: Ajay: "key storage"
Next in thread: Ajay: "RE: key storage"
Reply: Ajay: "RE: key storage"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 26 Aug 2004 15:05:51 -0700
To: "Ajay" <abra9823@mail.usyd.edu.au>, <security-basics@securityfocus.com>

What platform are you using? On Windows this is the exact problem that
DPAPI was developed to solve. Another generic solution is to protect
them with a key derived from a password that the user enters so you
never actually have to store the key.

-----Original Message-----
From: Ajay [mailto:abra9823@mail.usyd.edu.au]
Sent: Wednesday, August 25, 2004 4:01 AM
To: security-basics@securityfocus.com
Subject: key storage

hi!

i am building a web application. for client authentication, i am using
cookies which include the HMAC of the data.
the server also has a public/private key pair for signing and verifying
information.
my question is how should these be stored on the server? encryption is
the
best solution, but if i encrypt them with another key, the question is
where does this key get stored?

thanks

cheers
ajay

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

------------------------------------------------------------------------

---
Computer Forensics Training at the InfoSec Institute. All of our class
sizes
are guaranteed to be 12 students or less to facilitate one-on-one
interaction with one of our expert instructors. Gain the in-demand
skills of
a certified computer examiner, learn to recover trace data left behind
by
fraud, theft, and cybercrime perpetrators. Discover the source of
computer
crime and abuse so that it never happens again.
http://www.infosecinstitute.com/courses/computer_forensics_training.html
------------------------------------------------------------------------
----
---------------------------------------------------------------------------
Computer Forensics Training at the InfoSec Institute. All of our class sizes
are guaranteed to be 12 students or less to facilitate one-on-one
interaction with one of our expert instructors. Gain the in-demand skills of
a certified computer examiner, learn to recover trace data left behind by
fraud, theft, and cybercrime perpetrators. Discover the source of computer
crime and abuse so that it never happens again.
http://www.infosecinstitute.com/courses/computer_forensics_training.html
----------------------------------------------------------------------------

Next message: edwin_at_link.net.id: "Re: User Activity Monitoring"

Previous message: Mark Reis: "Re: educating rDNS violators"
Maybe in reply to: Ajay: "key storage"
Next in thread: Ajay: "RE: key storage"
Reply: Ajay: "RE: key storage"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]