Re: Encryption newbie - Same length encrypted result

From: Joseph Ashwood (ashwood_at_msn.com)
Date: 10/22/05 

Date: Sat, 22 Oct 2005 00:55:50 GMT

<mminnie@minniebyte.com> wrote in message
news:1129935789.332412.272350@g49g2000cwa.googlegroups.com...
> How safe is saving this anyway? I plan to have a server side DLL that
> encrypts/decrypts the CC data. This will have a secret key hardcode.
> The resulting database values will be encrypted and somewhat safe, but
> if someone gets the DLL, they can easily decrypt the data. Right? I
> can probably safe guard the DLL to only have it work on a certain
> server, but then someone could always reverse engineer the DLL and get
> to the secret key that way.
>
> Am I missing something here?

You're not missing anything, the design will generally be insecure. One way
to help it some would be to use an admin supplied passphrase to generate the
actual secret key, don't know how usable this is for you. For security it is
important to place a kernel of trust someplace, and the actual location is
extremely important, so much so that in extreme security designs the kernel
is spread across several believed secure locations (e.g. human brain,
smartcard, and central server are required to get the decryption key). What
you've stumbled onto has been called "the only real security problem" key
management, and it is very difficult to do correctly and securely.
                Joe

Relevant Pages

  • Re: Encryption newbie - Same length encrypted result
    ... How safe is saving this anyway? ... encrypts/decrypts the CC data. ... This will have a secret key hardcode. ... if someone gets the DLL, they can easily decrypt the data. ...
    (sci.crypt)
  • Many, many thanks
    ... Assuming that you instantiate the object in the dll on a .asp page, ... if you want to keep a dll loaded in IIS you have a couple ... my ole server dll was exposed. ...
    (microsoft.public.inetserver.iis)
  • Re: Please help
    ... Unable to open the Server service. ... DLL files to display messages from a remote computer. ... The NVIDIA Driver Helper Service service hung on starting. ... have the necessary registry information or message DLL ...
    (microsoft.public.windowsxp.perform_maintain)
  • Re: Win2k3 SP1 error: New transaction cannot enlist in the specifi
    ... What we came upon was the fact that Windows Server 2003 requires roles to ... Do you use SQL Username and password, or SSPI to logon to the database (if ... >> This dll supports transactions, but does not initiate transaction calls. ...
    (microsoft.public.windows.server.general)
  • Re: DCOM Surrogates
    ... > believed it was possible to create a remote-server dll where I did not ... you're server has to be instantiated in a runnable process. ... but I am quite excited about this technology and what it ... then have to change the main app to accomodate it. ...
    (comp.lang.pascal.delphi.misc)