WebApp Sec mailing list archives

RE: key storage

From: Ajay <abra9823 () mail usyd edu au>
Date: Wed, 1 Sep 2004 00:19:33 +1000


On another note, how should the webserver authenticate itself to the
proxy (especially if unattended)?  I have Googled extensively for best
practices in this scenario and come up with lots of vendor fluff but
little hard information.


i believe the webserver i will be using can be made to use x509
certificates and the exchange could take place over SSL
what scares me is speed. this setup will be very slow. since the hash will
be cheked each time and you have no state and wont write the keys to a
file on the webserver, you will establish a connection with the proxy over
SSL each time a request is made.

i think i am just going to have to go with slightly less security and have
the hash key in a file not directly under www root. or maybe i need to
google a little more


Roman Fail


      -----Original Message-----
      From: Brown, James F. [mailto:James.F.Brown () FMR com]
      Sent: Mon 8/30/2004 7:00 AM
      To: Ajay
      Cc: webappsec () securityfocus com
      Subject: RE: key storage



      No problem. That's the "best practice", I believe.

      - Jim

      -----Original Message-----
      From: Ajay [mailto:abra9823 () mail usyd edu au]
      Sent: Monday, August 30, 2004 9:29 AM
      To: Brown, James F.
      Cc: webappsec () securityfocus com
      Subject: RE: key storage


      yup, thats the idea. do you see any problems with it

      cheers


      Quoting "Brown, James F." <James.F.Brown () FMR com>:

      > You're going to use the SHA-1 hash of the passphrase as the actual
key
      > for the symmetric encryption, right?
      >
      > ================================
      > James F. Brown  CISM, CISA
      > Sr. Director, Information Security
      > Fidelity Investments
      > james.f.brown () fmr com
      > http://www.fidelity.com
      >
      >
      > -----Original Message-----
      > From: Ajay [mailto:abra9823 () mail usyd edu au]
      > Sent: Saturday, August 28, 2004 12:25 AM
      > To: Brown, James F.
      > Cc: George Capehart; webappsec () securityfocus com
      > Subject: RE: key storage
      >
      >
      > thanks.
      > from responses on other mailing lists, i am moving towards the idea
of
      > having some sort of proxy server application which at startup is
      > supplied
      > a passphrase. it uses the passphrase to decrypt a passphrase
encrypted
      > file and loads keys from there. the file itself can be removed then
      > my main application can then query the proxy when it needs the keys.
      > ofcourse this introduces the problem of securing the exchange between
      > the
      > main and the proxy.
      > the reason i have the proxy in the first place is because my main app
      is
      > a
      > bunch of cgi scripts where state is stored by only writing to a file
      and
      > i
      > do not have access to the webserver where the application is hosted.
      > it will all be remarkable slow though...
      >
      > cheers
      >
      > --
      > Ajay Brar,
      >
      > Quoting "Brown, James F." <James.F.Brown () FMR com>:
      >
      > > Chapter 8 in Applied Cryptography only discussed key storage in
      areas
      > > where users are involved. If you have an server application that
      uses
      > > crypto with no users involved, it doesn't offer much help. I'll
      check
      > > Bruce's newer book "Practical Cryptography" to see if he's
addressed
      > > that topic, but I won't be able to report on it until Monday.
      > >
      > > ================================
      > > James F. Brown  CISM, CISA
      > > Sr. Director, Information Security
      > > Fidelity Investments
      > > james.f.brown () fmr com
      > > http://www.fidelity.com
      > >
      > >
      > > -----Original Message-----
      > > From: George Capehart [mailto:gwc () acm org]
      > > Sent: Thursday, August 26, 2004 1:41 PM
      > > To: webappsec () securityfocus com
      > > Subject: Re: key storage
      > >
      > >
      > > On Wednesday 25 August 2004 21:12, Ajay allegedly wrote:
      > > > and also is there any significant paper on key storage - a
journal
      > or
      > > > conference paper?
      > > > its for my thesis and it would be nice if i could quote a the
      > > > findings of some paper
      > >
      > > Ajay,
      > >
      > > There has been *lots* written about key storage.  It's a pretty
      > > important topic . . . :>  Google is your friend.  A great place to
      > > start, though is Chapter 8 (Key Management) in _Applied_Cryptology
      > > (ISBN 0-471-11709-9) by Bruce Schneier.
      > >
      > > Cheers,
      > >
      > > George Capehart
      > > --
      > > George W. Capehart
      > >
      > > Key fingerprint:  3145 104D 9579 26DA DBC7  CDD0 9AE1 8C9C DD70
34EA
      > >
      > > "With sufficient thrust, pigs fly just fine."  -- RFC 1925



----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

Current thread:

RE: key storage, (continued)
- - RE: key storage Ajay (Aug 26)
    - Re: key storage George Capehart (Aug 26)
    - Re: key storage George Capehart (Aug 27)
- RE: key storage Brown, James F. (Aug 27)
  - RE: key storage Ajay (Aug 28)
- RE: key storage Brown, James F. (Aug 30)
  - RE: key storage Ajay (Aug 30)
- RE: key storage Brown, James F. (Aug 30)
- RE: key storage Scovetta, Michael V (Aug 31)
- RE: key storage Roman Fail (Aug 31)
  - RE: key storage Ajay (Aug 31)
  - Re: key storage George Capehart (Sep 02)
    - RE: key storage Mark Curphey (Sep 05)
    - RE: key storage Frank Knobbe (Sep 04)
    - RE: key storage Frank Knobbe (Sep 04)
    - Re: key storage George Capehart (Sep 04)
    - Re: key storage Frank Knobbe (Sep 04)
    - Re: key storage George Capehart (Sep 04)
- RE: key storage Michael Howard (Sep 01)
- Re: key storage Jason Coombs PivX Solutions (Sep 05)
  - Re: key storage Ajay (Sep 05)