Re: An Encryption Strategy - Comments Please
From: carion1 (ddavis76_at_gmail.com)
Date: 10/03/05
- Next message: carion1: "Re: An Encryption Strategy - Comments Please"
- Previous message: Oleg Shadrunov: ""Microsoft Base Cryptographic Provider v1.0" does not work on Win2000"
- In reply to: William Stacey [MVP]: "Re: An Encryption Strategy - Comments Please"
- Next in thread: carion1: "Re: An Encryption Strategy - Comments Please"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 3 Oct 2005 09:57:12 -0500
If that is a concern then use a secure connection to SQL.
-- Derek Davis ddavis76@gmail.com "William Stacey [MVP]" <staceyw@mvps.org> wrote in message news:%232ouSQ9xFHA.2516@TK2MSFTNGP12.phx.gbl... > But now your just passing the password equivilent. This can be taken off > the wire and used just like the clear password if the server is matching > it against the same hash. He needs some form of key exchange or secure > stream. Not sure what sql offers in that regard. > > -- > William Stacey [MVP] > > "carion1" <ddavis76@gmail.com> wrote in message > news:%23Cn11b6xFHA.612@TK2MSFTNGP10.phx.gbl... >> Hash the password and pass it to SQL for comparison (this way no need to >> decrypt). You may also want to think twice about using your own custom >> security. >> >> -- >> >> Derek Davis >> ddavis76@gmail.com >> >> "Diggers" <simonrigby_uk@hotmail.com> wrote in message >> news:1128290552.651536.287440@g43g2000cwa.googlegroups.com... >>> Hello all, >>> >>> I posted in this forum not long ago regarding encryption. After some >>> useful feedback and further reading I have come up with a strategy that >>> I think will work. I'm interested in feedback and any suggestions. Here >>> is my scenario. >>> >>> Users of my application will interact with data stored in a Sql Server >>> database. To that end I am also going to maintain the user/password >>> list in this same database. An administrator will add a new user by >>> adding a username to this table but leave the password blank. >>> >>> When the user logs into the application they will be asked for a >>> username. If the password for this username is blank in the database, a >>> known piece of text (for example "this is the key") is encrypted using >>> DPAPI. They will then be asked to enter a password for their account. >>> This password will be encrypted using Rijndael using the DPAPI >>> encrypted known text as the key and stored in the database table. >>> >>> At subsequent logins the user enters their username and password. The >>> DPAPI encrypted key is used to encrypt the password which is compared >>> against the database table version. >>> >>> I think this scenario allows encryption of the database password whilst >>> not keeping a plain text key on the machine. The known text will of >>> course be hard coded into the application which I appreciate is subject >>> to possible reverse engineering. I don't think this is an issue as the >>> DPAPI encryption is account dependent. >>> >>> Any comments on this are extremely welcome. >>> >>> Many thanks in advance. >>> >>> Simon. >>> Inverness, Scotland. >>> >> >> > >
- Next message: carion1: "Re: An Encryption Strategy - Comments Please"
- Previous message: Oleg Shadrunov: ""Microsoft Base Cryptographic Provider v1.0" does not work on Win2000"
- In reply to: William Stacey [MVP]: "Re: An Encryption Strategy - Comments Please"
- Next in thread: carion1: "Re: An Encryption Strategy - Comments Please"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
