Re: Which is more secure RC2 or RC4 ?

On 12 Jul 2006 10:55:42 -0700, "Homer Simpson"
<wushu.israel@xxxxxxxxx> wrote:

While I am new to the whole world of cryptography, I am a pretty
experienced web designer, and I don't really understand some of the
statements made here that I should "hire a security expert".. I mean if
I'm using for example Asp-Encrypt, create a 128 bit key using AES, save
it in a remote place inside the registry, and then use it to
encrypt/decrypt strings of text upon inserting/reading them from the
database, wherein lies the security problem?
In a lot of places. I am *not* an expert but even so I can see
problems with your ideas here.

1. NEVER save a password anywhere. Ever. You should save a secure
hash (SHA-256 or some such) of the password. Also look up
"stretching" in this context. An attacker can be assumed to have
access to the registry and files on the machine so passwords held in
clear are a complete disaster.

2. The registry is backed up and copied to a lot of places. How are
you going to secure your passwords when they are in a backup file
somewhere? When the password is changed how are you going to securely
delete all copies of the old password?

3. You do not mention salt. Are you going to be salting your users'
passwords? You should

4. How do you know that a 128 bit key is secure enough? Have you done
a full security audit on your proposed system and established that
this is the correct key size?

You say you are a pretty experienced web designer. Would you let
someone who had just read "Web Design for Dummies" once, design and
build the Web front-end of your application? You are in the same
position for the security aspects of your application. You need an
expert.

rossum


.

Relevant Pages

  • Re: Ten least secure programs
    ... it's probably better you leave the topic alone ... I said I do not have security issues with the programs I code. ... I didn't realize you were a Linux user, ... > the most widely used and secure UNIX flavors? ...
    (Security-Basics)
  • "An Asp.Net accident waiting to happen" - Draft article
    ... In a time where Security ... in shared hosting environments. ... technologies that allow the creation and deployment of secure ... IIS 6 web server and windows 2003 also provide some tools to deploy ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • RE: Why Easy To Use Software Is Putting You At Risk
    ... I do agree that the additions and changes to Solarius will make it more secure and that this is good. ... Why Easy To Use Software Is Putting You At Risk ... instead I would say that the view that security is ... Four Construction Workers Died after Crane Collapse in Toledo, ...
    (Security-Basics)
  • Why Easy To Use Software Is Putting You At Risk
    ... Anyone who has been working with computers for a long time will have noticed ... because DNS does not configure properly or security permissions are relaxed ... Is It Also Secure ... guarantee that no one really knows for sure, not even Microsoft developers. ...
    (Security-Basics)
  • Re: Screensaver takes too much time to fade-out...
    ... If you are serious about making your machine secure, ... learn a thing or two about security. ... These logs are mailed to the root user at 3am. ... Setup dovecot and use a local email client to fetch it. ...
    (Fedora)