WebApp Sec mailing list archives
RE: Securing encrypted data in RAM vs MSSQL
From: Philip Wagenaar <pb.wagenaar () chello nl>
Date: Fri, 02 Jul 2004 02:44:08 +0200
Why store the data encrypted in your RAM? Why not let the application's handling the data worry about encryption? Depending on the sort of information you are trying to encrypt you can choose from several encryptions method's. Like George pointed out, it might be better to read a book about encryption if you are looking for a broad view on encrypting data. If you could give us some more information about what kind of data you want to encrypt and how it is being used we could suggest some approached. On another note (as a Microsoft .NET developer) you might also want to look into ASP.NET. Asp.net better supports secure code and encryption in my opinion through the support in the framework. Also don't forget about securing your SQL Server if you choose to store your data in it. You are only as secure as your weakest link. Philip Wagenaar Pb.wagenaar () chello nl -----Oorspronkelijk bericht----- Van: Dave Andrews [mailto:dave () pint com] Verzonden: donderdag 1 juli 2004 23:48 Aan: George Capehart; webappsec () securityfocus com Onderwerp: RE: Securing encrypted data in RAM vs MSSQL Thanks George and to everybody that did respond. All your advice is greatly appreciated. I agree, the questions were rather open-ended. I left it this way because I wanted to get a range of answers from people who have considered the choice of encrypting an application session in memory and attempting to share those sessions with different applications or merely PGP encrypting DB data. Thanks again, --Dave Andrews -----Original Message----- From: George Capehart [mailto:gwc () acm org] Sent: Thursday, July 01, 2004 14:06 PM To: webappsec () securityfocus com Subject: Re: Securing encrypted data in RAM vs MSSQL On Wednesday 30 June 2004 20:51, Dave Andrews allegedly wrote:
Hello All, Is anyone aware of a way to store encrypted sensitive data in RAM for access via a web application using ASP? It would be posted in the same manner. Is storing in RAM preferable to using an encrypted database, in this case SQL 2000? Is there anyway to securely delete or timeout the data after a certain period of time? If you discard the data are there potential problems with California SB 1386 and being able to track intrusions and possible data compromise? I'm not a developer, but want a better solution than what the developers and client have proposed.
Dave, Answers to crypto questions are very seldom simple or short. You've asked some pretty open-ended questions for which there are many answers. Choosing from among them will be your real task. Before you do, I would urge you to at least skim _Practical_Cryptography_ by Niels Ferguson and Bruce Schneier (ISBN 0-471-22357-3). Doing crypto well is *very* hard. This book should help provide you with a context from within which to evaluate the answers you get. Best regards, George Capehart -- George W. Capehart Key fingerprint: 3145 104D 9579 26DA DBC7 CDD0 9AE1 8C9C DD70 34EA "With sufficient thrust, pigs fly just fine." -- RFC 1925
Current thread:
- Securing encrypted data in RAM vs MSSQL Dave Andrews (Jul 01)
- Re: Securing encrypted data in RAM vs MSSQL George Capehart (Jul 01)
- <Possible follow-ups>
- RE: Securing encrypted data in RAM vs MSSQL Stan Guzik (Jul 01)
- Re: Securing encrypted data in RAM vs MSSQL Toro, Daniel (Jul 01)
- RE: Securing encrypted data in RAM vs MSSQL Bénoni MARTIN (Jul 01)
- RE: Securing encrypted data in RAM vs MSSQL Yvan Boily (Jul 01)
- RE: Securing encrypted data in RAM vs MSSQL Dean Saxe (Jul 01)
- RE: Securing encrypted data in RAM vs MSSQL Bénoni MARTIN (Jul 01)
- RE: Securing encrypted data in RAM vs MSSQL Mark Curphey (Jul 01)
- RE: Securing encrypted data in RAM vs MSSQL Dave Andrews (Jul 01)
- RE: Securing encrypted data in RAM vs MSSQL Philip Wagenaar (Jul 02)
- Re: Securing encrypted data in RAM vs MSSQL Lucas Holt (Jul 06)
- Re: Securing encrypted data in RAM vs MSSQL Ivan Krstic (Jul 06)
- RE: Securing encrypted data in RAM vs MSSQL Philip Wagenaar (Jul 02)
- RE: Securing encrypted data in RAM vs MSSQL Michael Silk (Jul 02)
- Re: Securing encrypted data in RAM vs MSSQL exon (Jul 02)
- RE: Securing encrypted data in RAM vs MSSQL Bénoni MARTIN (Jul 02)
- Re: Securing encrypted data in RAM vs MSSQL Ivan Krstic (Jul 02)