These may be of interest.

Exploring XML ENcryption
http://www-106.ibm.com/developerworks/library/x-encrypt/index.html
http://www-106.ibm.com/developerworks/xml/library/x-encrypt2/index.html

- zenocgisecurity.com
 
> Hi everybody,
>
> On the secprog list is started an interesting discussion about a secure
> approach to store passwords and keys on a shared web server.
>
> I'm sure this topic has been already discussed here, but I would like to
> know some news from you guru :).
>
> An approach I have exposed, that can be useful if you have small
> resource, but system access, follow (quoted):
>
> -----------
> First of all, I need a secure way to keep database passwords secure, so
> I have to keep them separate from the main server. The right approach
> could be using a small java bean application that run as normal user
> (not tomcat, so it is not shared with other web services or, worst, the
> nobody user), that has no shell login, but has a default home directory
> or a place where it can hold passwords and keys.
>
> The web application could then open an ssl connection (could be done in
> the init method at server startup) to get database passwords. The small
> bean could check via code signature/rmi/whatever else that the source
> is the right one, and handle all the database connections, or give the
> db connection/password to the main web application.
>
> In this way, we solve the problem of keeping the keys and passwords in
> shared directories, and also, an attacker should get root/bean user
> account to read data. This is not perfect, and works only if your
> provider gives the opportunity to configure a separated java
> application (that means, really, another server running in the
> background).
> ------------
>
> Suggestion are always welcomed,
>
> Mario Torre
> --
> Please avoid sending me Word or PowerPoint attachments.
> See http://www.fsf.org/philosophy/no-word-attachments.html
>
>

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]