WebApp Sec mailing list archives
Re: Securing encrypted data in RAM vs MSSQL
From: Lucas Holt <luke () foolishgames com>
Date: Tue, 6 Jul 2004 18:30:30 -0400
Hello All, Is anyone aware of a way to store encrypted sensitive data in RAM for access via a web application using ASP? It would be posted in the same manner. Is storing in RAM preferable to using an encrypted database, in this case SQL 2000? Is there anyway to securely delete or timeout the data after a certain period of time? If you discard the data are there potential problems with California SB 1386 and being able to track intrusions and possible data compromise? I'm not a developer, but want a better solution than what the developers and client have proposed.
Storing data in ram presents some issues. First, if you need to save the data for reuse long term then it must be backed up on some type of media like a DVD or hard disk. When the power goes out, you lose the data if its in ram. Second, if you are trying to prevent it from being accessible to attack then memory storage is no guarantee. you must have a data structure to store the data and therefore it can be obtained by attacking your app just as someone could attack a sql server. Anything in memory is still accessible to someone who gets access to the box via webserver vulnerabilities, os vulnerabilites, etc. It doesn't really save you much. Third, you are limited to x number of connections based on the amount of ram and size of the session you wish to store. Granted other factors limit the number of concurrent users like bandwidth, etc.
Lucas Holt Luke () FoolishGames com ________________________________________________________ FoolishGames.com (Jewel Fan Site) JustJournal.com (Free blogging)
Current thread:
- Re: Securing encrypted data in RAM vs MSSQL, (continued)
- Re: Securing encrypted data in RAM vs MSSQL George Capehart (Jul 01)
- RE: Securing encrypted data in RAM vs MSSQL Stan Guzik (Jul 01)
- Re: Securing encrypted data in RAM vs MSSQL Toro, Daniel (Jul 01)
- RE: Securing encrypted data in RAM vs MSSQL Bénoni MARTIN (Jul 01)
- RE: Securing encrypted data in RAM vs MSSQL Yvan Boily (Jul 01)
- RE: Securing encrypted data in RAM vs MSSQL Dean Saxe (Jul 01)
- RE: Securing encrypted data in RAM vs MSSQL Bénoni MARTIN (Jul 01)
- RE: Securing encrypted data in RAM vs MSSQL Mark Curphey (Jul 01)
- RE: Securing encrypted data in RAM vs MSSQL Dave Andrews (Jul 01)
- RE: Securing encrypted data in RAM vs MSSQL Philip Wagenaar (Jul 02)
- Re: Securing encrypted data in RAM vs MSSQL Lucas Holt (Jul 06)
- Re: Securing encrypted data in RAM vs MSSQL Ivan Krstic (Jul 06)
- RE: Securing encrypted data in RAM vs MSSQL Philip Wagenaar (Jul 02)
- RE: Securing encrypted data in RAM vs MSSQL Michael Silk (Jul 02)
- Re: Securing encrypted data in RAM vs MSSQL exon (Jul 02)
- RE: Securing encrypted data in RAM vs MSSQL Bénoni MARTIN (Jul 02)
- Re: Securing encrypted data in RAM vs MSSQL Ivan Krstic (Jul 02)