WebApp Sec mailing list archives
Re: Securing encrypted data in RAM vs MSSQL
From: "Toro, Daniel" <tcvx () taconvino cl>
Date: Thu, 01 Jul 2004 12:32:50 -0400
Related to point 3.A below: Is it really necessary to delete the data if it's encrypted with a one-way encryption algo like MD5? There's no way to recover data from the message digest produced by MD5 that I know of. Of course, I don't know everithing. :-)
On Thu, 1 Jul 2004 09:24:55 -0400, Stan Guzik <SGuzik () ImmediaTech com> wrote:
See reply below. Good Luck, Stan -----Original Message----- From: Dave Andrews [mailto:dave () pint com] Sent: Wednesday, June 30, 2004 8:52 PM To: webappsec () securityfocus com; forensics () securityfocus com Subject: Securing encrypted data in RAM vs MSSQL Hello All, Is anyone aware of a way to store encrypted sensitive data in RAM for access via a web application using ASP? 1) You can create an ActiveX EXE that will remain in memory. When the web application loads instantiate the ActiveX EXE and access it like any other dll. It would be posted in the same manner. Is storing in RAM preferable to using an encrypted database, in this case SQL 2000? 2) It depends on the application and network environment. This is a difficult question to answer not knowing more details. Is there anyway to securely delete or timeout the data after a certain period of time? 3) A. If you store the data in memory you can kill the instance of the object and the memory will be released. Depending on the type of RAM you have the data may or may nor remain on the chip for a short period of time. B. I'm not sure how to easily delete data from a SQL Server DB and not have it recovered by a forensics tool. A difficult way of doing it is to compact the SQL Server DB which will shrink the DB file size and then use PGP Freespace Wipe to permanently delete any residual data on the hard drive. This is a good question, anybody know of a better way? C. PGP Wipe is a good tool with API support to delete files so a forensics tool can't recover the data. If you discard the data are there potential problems with California SB 1386 and being able to track intrusions and possible data compromise? I'm not a developer, but want a better solution than what the developers and client have proposed. Thanks in advance Dave Andrews PINT, Inc 2105 Garnet Ave. Suite E San Diego, CA 92109 TEL 858.270.2086 FAX 858.270.0410
-- TCV
Current thread:
- Securing encrypted data in RAM vs MSSQL Dave Andrews (Jul 01)
- Re: Securing encrypted data in RAM vs MSSQL George Capehart (Jul 01)
- <Possible follow-ups>
- RE: Securing encrypted data in RAM vs MSSQL Stan Guzik (Jul 01)
- Re: Securing encrypted data in RAM vs MSSQL Toro, Daniel (Jul 01)
- RE: Securing encrypted data in RAM vs MSSQL Bénoni MARTIN (Jul 01)
- RE: Securing encrypted data in RAM vs MSSQL Yvan Boily (Jul 01)
- RE: Securing encrypted data in RAM vs MSSQL Dean Saxe (Jul 01)
- RE: Securing encrypted data in RAM vs MSSQL Bénoni MARTIN (Jul 01)
- RE: Securing encrypted data in RAM vs MSSQL Mark Curphey (Jul 01)
- RE: Securing encrypted data in RAM vs MSSQL Dave Andrews (Jul 01)
- RE: Securing encrypted data in RAM vs MSSQL Philip Wagenaar (Jul 02)
- Re: Securing encrypted data in RAM vs MSSQL Lucas Holt (Jul 06)
- Re: Securing encrypted data in RAM vs MSSQL Ivan Krstic (Jul 06)
- RE: Securing encrypted data in RAM vs MSSQL Philip Wagenaar (Jul 02)
- RE: Securing encrypted data in RAM vs MSSQL Michael Silk (Jul 02)