RE: key storage
From: Ajay (abra9823_at_mail.usyd.edu.au)
Date: 08/27/04
- Previous message: Chad Thomsen: "RE: User Activity Monitoring"
- In reply to: Andrew Tucker: "RE: key storage"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 27 Aug 2004 11:08:47 +1000 To: Andrew Tucker <atucker@windows.microsoft.com>
i am using SunOS
the problem is i dont have access to the webserver. my web applications
consists of a number of python scripts that allow you to create define
iser models.
Thus there is no application start or end and all state (including keys
used) must be stored in files which are read when a request is made.
if i could actually configure the server (or if i had written my own server
app) i could make it read a set of keys (or a passphrase) from a file
(stored on removable media) at startup and use those. the media itself
could be removed.
But i cant really do that with a whole lot of cgi scripts, can i?
since the webserver is an apache, i think i should look at what features it
offers in such a situation - i was hoping someone would have come across
this problem before and solved it
cheers
-- Ajay Brar, CS Honours 2004 Smart Internet Technology Research Group Quoting Andrew Tucker <atucker@windows.microsoft.com>: > What platform are you using? On Windows this is the exact problem that > DPAPI was developed to solve. Another generic solution is to protect > them with a key derived from a password that the user enters so you > never actually have to store the key. > > -----Original Message----- > From: Ajay [mailto:abra9823@mail.usyd.edu.au] > Sent: Wednesday, August 25, 2004 4:01 AM > To: security-basics@securityfocus.com > Subject: key storage > > hi! > > i am building a web application. for client authentication, i am using > cookies which include the HMAC of the data. > the server also has a public/private key pair for signing and verifying > information. > my question is how should these be stored on the server? encryption is > the > best solution, but if i encrypt them with another key, the question is > where does this key get stored? > > thanks > > cheers > ajay > > > > > > ---------------------------------------------------------------- > This message was sent using IMP, the Internet Messaging Program. > > ------------------------------------------------------------------------ > --- > Computer Forensics Training at the InfoSec Institute. All of our class > sizes > are guaranteed to be 12 students or less to facilitate one-on-one > interaction with one of our expert instructors. Gain the in-demand > skills of > a certified computer examiner, learn to recover trace data left behind > by > fraud, theft, and cybercrime perpetrators. Discover the source of > computer > crime and abuse so that it never happens again. > > http://www.infosecinstitute.com/courses/computer_forensics_training.html > ------------------------------------------------------------------------ > ---- > > > ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. --------------------------------------------------------------------------- Computer Forensics Training at the InfoSec Institute. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors. Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse so that it never happens again. http://www.infosecinstitute.com/courses/computer_forensics_training.html ----------------------------------------------------------------------------
- Previous message: Chad Thomsen: "RE: User Activity Monitoring"
- In reply to: Andrew Tucker: "RE: key storage"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
