Extending a secure zone to an insecure zone
From: David Hooker (abcd628_at_tpg.com.au)
Date: 01/25/04
- Next message: Mack: "Re: issues with statistical test suite from http://csrc.nist.gov/rng/"
- Previous message: Mark Shelor: "OT: Tommy's Tantrum (was Re: Trying to generate MD5 'magic' numbers.)"
- Next in thread: Paul Rubin: "Re: Extending a secure zone to an insecure zone"
- Reply: Paul Rubin: "Re: Extending a secure zone to an insecure zone"
- Reply: jcduque: "Re: Extending a secure zone to an insecure zone"
- Reply: David Hooker: "A better summary of the problem"
- Reply: jcduque: "Re: Extending a secure zone to an insecure zone"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 24 Jan 2004 19:20:18 -0800
I'm wondering if I can pick your collective brains...
I'm in the process of replacing an online store, and am unable to
continue to work with the secure server the way it is. The secure
server is used to store sensitive data (think credit card numbers) and
the only way to either have the customer submit an order, or the
vendor to retrieve orders is via SSL. I'm assuming that the server
itself is reasonably breakin-proof (or at least, I don't want the new
system to be any less secure than the old one). The problem is that
the server will only accept submissions formatted into various fields
(each of which is limited to various lengths), and working around that
limitation is a royal pain. Also, it's a pain for the customer (two
submits, one for the less sensitive information, and one for the more
sensitive information).
The question is, is it possible to extend the security of the secure
server to the insecure server?
Here's my idea:
p = plaintext (user submission, via SSL)
id = number of next available slot in an insecure database
h = hash of p
m = p + h (concatenated; to detect tampering)
c = symmetrical cypher of m, using h as the key
store c in the insecure database, in slot id
store id + h on the secure server
Does this make the data on the insecure server as secure as the data
on the secure server?
Also, because I have to implement this in Active Server Pages, I need
to use simple, fast algorithms. Would MD5 and RC4 do?
Thankyou for your collective time.
- Next message: Mack: "Re: issues with statistical test suite from http://csrc.nist.gov/rng/"
- Previous message: Mark Shelor: "OT: Tommy's Tantrum (was Re: Trying to generate MD5 'magic' numbers.)"
- Next in thread: Paul Rubin: "Re: Extending a secure zone to an insecure zone"
- Reply: Paul Rubin: "Re: Extending a secure zone to an insecure zone"
- Reply: jcduque: "Re: Extending a secure zone to an insecure zone"
- Reply: David Hooker: "A better summary of the problem"
- Reply: jcduque: "Re: Extending a secure zone to an insecure zone"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
