Re: Most Secure method for storing Usernames & Password


If I understood that right. Another machine (A Controller) would store the
usernames and passwords and then sends them securely to the installer.
From a security pont of view this would be ideal but would not be possible
at some of our sites due to firewall and other issues. Is there a way to
accomplish this task with the installer and some encrypted files alone?

Thanking you..




<yarrkov@xxxxxxxxx> wrote in message
news:70d539c5-7d9e-4c02-bf6d-6b969c3ffce9@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
On 2 syys, 19:12, "Eircom News Groups" <hid...@xxxxxxxxxxxx> wrote:
Hello,

I have been tasked to write an installer for Win32 platforms thats logs
onto
a users PC (As Administrator) and installs an application. For testing
the
Administrator Username & Password were compilied into the application but
now I need to move to something more secure. At first the winapi
function
CryptProtectData() looked interesting but this api only works on a per
user
basis.

I was thinking of storing the usernames & passwords in a text file and
then
encrypting the file and storing the private key in the Executable but no
matter what method I think of, Everything would avaialbe to someone with
the
right knowledge (Debugger or IDA-Pro etc..) to obtain the Usernames and
Passwords. What is the best encrytion scheme or method for this task?

Tank You..

Paul..

If I understood that right:
Make a keypair for digital signing (DSA for example), store the public
key in the client app (or a configuration file or whatever). Then,
when something needs to be installed on that client machine, get a
shared secret with Diffie-Hellman key exchange (or similar), sign the
controlling party's part with its private key. The machine that gets
stuff installed on it verifies the controller's request with the
digital signature algorithm public key, then the machines can encrypt
further communication with a symmetric method, using the shared secret
given by DH as the key.


.

Relevant Pages

  • Re: security issues
    ... It was obviously never meant to be; multiple defences against it being ... The Ubuntu installer uses a framework called debconf to do ... when you're asking for passwords ... you take a lot of care to clean them out of the database ...
    (Ubuntu)
  • Re: Windows 2003 - Dumping Service Passwords
    ... I understand the passwords for the services are stored in the LSA and I would like to dump them. ... I would prefer to use something that does not need to be installed with an installer and does not require the server to be rebooted if that is possible. ... Cenzic Hailstorm finds vulnerabilities fast. ...
    (Pen-Test)
  • Re: Prevent mutliple instances of COM server without using DCOMcnfg
    ... I agree with you about the passwords. ... started the setup with an administrative account (and would already ... You really must rely on the installer to have sufficient ...
    (microsoft.public.vc.atl)
  • Re: Most Secure method for storing Usernames & Password
    ... I have been tasked to write an installer for Win32 platforms thats logs onto ... a users PC (As Administrator) and installs an application. ... I was thinking of storing the usernames & passwords in a text file and then ...
    (sci.crypt)
  • Re: Protecting Encryption Algorithms
    ... >> working on creating secure execution modes on PC's. ... installer-application - inside the secure environment - "phones home" to ... an unmodified version of the installer running in the trusted module. ...
    (sci.crypt)