WebApp Sec mailing list archives
RE: Securing encrypted data in RAM vs MSSQL
From: "Yvan Boily" <yboily () seccuris com>
Date: Thu, 1 Jul 2004 15:08:35 -0500
This will not yield the password; it will yield a value that, when hashed, will yield the same MD5 checksum. Hashes can yeild the same result from various inputs. These are called hash collisions. If you are performing a simple MD5 hash without any additional transformations on the data then an identified value that will yield such a hash collision would suffice as the password. This is why authentication using only a hash algorithm is not always the best way to do it. Yvan Boily Seccuris
-----Original Message----- From: Bénoni MARTIN [mailto:Benoni.MARTIN () libertis ga] Sent: Thursday, July 01, 2004 12:19 PM To: Toro, Daniel; Stan Guzik; Dave Andrews; webappsec () securityfocus com; forensics () securityfocus com Subject: RE: Securing encrypted data in RAM vs MSSQL Well, there is always a way to recover the real password or login from a hash...the matter's is the time it will take! The method to "dehash" a hash is quite simple: as theorically a hash_1 can be produced by a single pass_1/login_1/..., we can create a huge amount of random pass_2/logins_2/..., hash them with MD5/SHA-1/... and then compare each of them with our hash_1. ASA the two hashes are the same, we can pick up the pass/login/... which produced hash_2. Quite simple but really long to perform. BTW, Cain & Abel, John the Ripper and Crack can perform such recoveries... :) -----Message d'origine----- De : Toro, Daniel [mailto:tcvx () taconvino cl] Envoyé : jeudi 1 juillet 2004 17:33 À : Stan Guzik; Dave Andrews; webappsec () securityfocus com; forensics () securityfocus com Objet : Re: Securing encrypted data in RAM vs MSSQL Related to point 3.A below: Is it really necessary to delete the data if it's encrypted with a one-way encryption algo like MD5? There's no way to recover data from the message digest produced by MD5 that I know of. Of course, I don't know everithing. :-) On Thu, 1 Jul 2004 09:24:55 -0400, Stan Guzik <SGuzik () ImmediaTech com> wrote:See reply below. Good Luck, Stan -----Original Message----- From: Dave Andrews [mailto:dave () pint com] Sent: Wednesday, June 30, 2004 8:52 PM To: webappsec () securityfocus com; forensics () securityfocus com Subject: Securing encrypted data in RAM vs MSSQL Hello All, Is anyone aware of a way to store encrypted sensitive datain RAM foraccess via a web application using ASP? 1) You can create an ActiveX EXE that will remain inmemory. When theweb application loads instantiate the ActiveX EXE andaccess it likeany other dll. It would be posted in the same manner. Is storing in RAM preferable to using an encrypteddatabase, in thiscase SQL 2000? 2) It depends on the application and network environment.This is adifficult question to answer not knowing more details. Is there anyway to securely delete or timeout the dataafter a certainperiod of time? 3) A. If you store the data in memory you can kill theinstance of theobject and the memory will be released. Depending on thetype of RAMyou have the data may or may nor remain on the chip for ashort periodof time. B. I'm not sure how to easily delete data from a SQL Server DB and not have it recovered by a forensics tool. A difficult wayof doingit is to compact the SQL Server DB which will shrink the DBfile sizeand then use PGP Freespace Wipe to permanently delete anyresidual data on thehard drive. This is a good question, anybody know of abetter way?C. PGP Wipe is a good tool with API support to delete files so a forensics tool can't recover the data. If you discard the data are there potential problems withCaliforniaSB 1386 and being able to track intrusions and possible datacompromise?I'm not a developer, but want a better solution than what the developers and client have proposed. Thanks in advance Dave Andrews PINT, Inc 2105 Garnet Ave. Suite E San Diego, CA 92109 TEL 858.270.2086 FAX 858.270.0410-- TCV
Current thread:
- Securing encrypted data in RAM vs MSSQL Dave Andrews (Jul 01)
- Re: Securing encrypted data in RAM vs MSSQL George Capehart (Jul 01)
- <Possible follow-ups>
- RE: Securing encrypted data in RAM vs MSSQL Stan Guzik (Jul 01)
- Re: Securing encrypted data in RAM vs MSSQL Toro, Daniel (Jul 01)
- RE: Securing encrypted data in RAM vs MSSQL Bénoni MARTIN (Jul 01)
- RE: Securing encrypted data in RAM vs MSSQL Yvan Boily (Jul 01)
- RE: Securing encrypted data in RAM vs MSSQL Dean Saxe (Jul 01)
- RE: Securing encrypted data in RAM vs MSSQL Bénoni MARTIN (Jul 01)
- RE: Securing encrypted data in RAM vs MSSQL Mark Curphey (Jul 01)
- RE: Securing encrypted data in RAM vs MSSQL Dave Andrews (Jul 01)
- RE: Securing encrypted data in RAM vs MSSQL Philip Wagenaar (Jul 02)
- Re: Securing encrypted data in RAM vs MSSQL Lucas Holt (Jul 06)
- Re: Securing encrypted data in RAM vs MSSQL Ivan Krstic (Jul 06)
- RE: Securing encrypted data in RAM vs MSSQL Philip Wagenaar (Jul 02)
- RE: Securing encrypted data in RAM vs MSSQL Michael Silk (Jul 02)
- Re: Securing encrypted data in RAM vs MSSQL exon (Jul 02)
- RE: Securing encrypted data in RAM vs MSSQL Bénoni MARTIN (Jul 02)