Re: Securing Private Key
From: Anne & Lynn Wheeler (lynn_at_garlic.com)
Date: 09/21/05
- Next message: Dave Howe: "Re: Security of Secret Algorithm encruption"
- Previous message: Dave Howe: "Re: Meganet"
- In reply to: Shakeel: "Re: Securing Private Key"
- Next in thread: Dave Howe: "Re: Securing Private Key"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 21 Sep 2005 08:33:05 -0600
"Shakeel" <shakeel.***@gmail.com> writes:
> My application make transactions in the database. To make transactions
> secure or in other words only application can make transactions in DB
> and not even the DB admin can. For that the application make digital
> signature with each transaction. Now the problem is for digital
> signature the key is needed, Hot to secure or manage that key.
from 3-factor authentication paradigm
http://www.garlic.com/~lynn/subpubkey.html#3factor
* something you have
* something you know
* something you are
private key operation is nominal handled as "something you have"
authentication ... aka the validation of a digital signature by a
public key implies that the originator has access to and use of the
corresponding private key.
integrity of the operation then comes down to providing for the unique
possession and use of that private key.
software based infrastructure tends to revolve around an encrypted
file "container" ... where there is an attempt at software eimulation
of a physical container. this typically starts with making the file
encrypted and various software flavors that request decryption key for
access & use of the private key. a widely used example is SSH ...
http://www.openssh.com
http://www.ssh.com
somewhat more secure is replacing the software/file container with a
real physical container ... hardware token with embedded chip. there
are a number of them with various combination of integrity
characteristics. features can be
1) key pair generated inside the chip, public key exported, but the
private key is never divulged.
2) degree of tamper resistance, difficulty of physical attack on token
to extract private key
3) whether chip requires pin/password and/or biometric for correct
operation (multi-factor authentication)
physical tokens tend to have the added (integrity) characteristic that
the owner will realize when the token is lost/stolen and notify the
responsible parties to disable the corresponding public key. there was
a recent thread on the this subject about administrative
infrastructure for management of public keys in DBMS environments ...
using DBMS/RADIUS operation for key registration & administrative
validity.
misc posts related to aads chip strawman
http://www.garlic.com/~lynn/index.html#aads
-- Anne & Lynn Wheeler | http://www.garlic.com/~lynn/
- Next message: Dave Howe: "Re: Security of Secret Algorithm encruption"
- Previous message: Dave Howe: "Re: Meganet"
- In reply to: Shakeel: "Re: Securing Private Key"
- Next in thread: Dave Howe: "Re: Securing Private Key"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
