Re: Server side encryption - Newbie
- From: "Mark" <mminnie@xxxxxxxxxxxxxx>
- Date: 23 Oct 2006 11:27:10 -0700
Terminal server is like a remote desktop session, so yes, like a
terminal emulator. Quite a number is in the thousands....maybe 2-4
thousand. The users rarely need the actual number, but they do enter
the numbers manually sometimes. No velocity limits. The company is a
small-midsized retail business.
They don't do much to secure the LAN except for locking the building.
The app is a legacy Visual Foxpro app. The client is not prepared to
invest tens of thousands on this, but they do want to "tighten" up the
security.
I think the smart cards are a great idea, but it is doubtful they would
want to spend that kind of money on the project. They are more
concerned about someone compromising the data from the "outside".
I think the outline you mentioned is the way I would recommend to them.
Thanks a bunch for your thoughts.
Paul Rubin wrote:
Does Windows Terminal Server just mean some kind of Hypercom-like
terminal emulator? Do you REALLY have to do it that way, instead of
using a client side app? I'm not familiar with Citrix.
How many CC#'s is "quite a number"? Thousands? Millions?
Organizations that handle really large volumes of credit card data are
supposed to use hardware-based cryptography, not software. Why do the
users need to see the actual card numbers? Does the software impose
any velocity limits on how many cards they can see per hour? What
industry is the company in? There may be standards or best practice
documents you can follow.
What are you doing to secure the LAN? Where I used to work, we rented
space on several floors of a big office building. Our machine rooms
were locked up and only accessible to our own staff (not building
maintenance). But our LAN extended between the floors of the building
and as such could have been tapped by anyone (such as the building
janitors) who had access to the service corridors. Therefore we had
to encrypt any sensitive LAN traffic, always a good idea regardless.
What language is the server app written in?
Anyway, if I understand it, your basic plan is something like:
- have a permanent static encryption key that is not permanently
stored anywhere.
- Store an encrypted version of the key in a disk file, encrypted
by a pass phrase.
- Users log in and enter the pass phrase. The server uses the pass
phrase to decrypt the key file and reconstruct the static key in
memory. It uses the in-memory key to access the encrypted data.
Does that mean there's a single pass phrase that's issued to all the
users, that changes every so often? Maybe you want to use a hardware
approach such as smart cards. Again, you'd need code on the client
side to communicate with the cards. But the idea of having users
entering passphrases (probably off Post-it notes) comes across as very
loose.
Anyway, the scheme above is probably better than nothing, though
improvements are certainly possible.
.
- Follow-Ups:
- Re: Server side encryption - Newbie
- From: Paul Rubin
- Re: Server side encryption - Newbie
- References:
- Server side encryption - Newbie
- From: Mark
- Re: Server side encryption - Newbie
- From: Mark
- Re: Server side encryption - Newbie
- From: Paul Rubin
- Re: Server side encryption - Newbie
- From: Mark
- Re: Server side encryption - Newbie
- From: Paul Rubin
- Re: Server side encryption - Newbie
- From: Mark
- Re: Server side encryption - Newbie
- From: Paul Rubin
- Server side encryption - Newbie
- Prev by Date: Re: New lightweight block cipher algorithm
- Next by Date: Re: Server side encryption - Newbie
- Previous by thread: Re: Server side encryption - Newbie
- Next by thread: Re: Server side encryption - Newbie
- Index(es):
Relevant Pages
|
Loading
