Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
RE: Securing encrypted data in RAM vs MSSQL
From: Philip Wagenaar (pb.wagenaarchello.nl)
Date: Thu Jul 01 2004 - 19:44:08 CDT
Why store the data encrypted in your RAM? Why not let the application's
handling the data worry about encryption?
Depending on the sort of information you are trying to encrypt you can
choose from several encryptions method's.
Like George pointed out, it might be better to read a book about encryption
if you are looking for a broad view on encrypting data.
If you could give us some more information about what kind of data you want
to encrypt and how it is being used we could suggest some approached.
On another note (as a Microsoft .NET developer) you might also want to look
into ASP.NET. Asp.net better supports secure code and encryption in my
opinion through the support in the framework.
Also don't forget about securing your SQL Server if you choose to store your
data in it. You are only as secure as your weakest link.
Van: Dave Andrews [mailto:davepint.com]
Verzonden: donderdag 1 juli 2004 23:48
Aan: George Capehart; webappsecsecurityfocus.com
Onderwerp: RE: Securing encrypted data in RAM vs MSSQL
Thanks George and to everybody that did respond. All your advice is
I agree, the questions were rather open-ended. I left it this way
because I wanted to get a range of answers from people who have
considered the choice of encrypting an application session in memory and
attempting to share those sessions with different applications or merely
PGP encrypting DB data.
From: George Capehart [mailto:gwcacm.org]
Sent: Thursday, July 01, 2004 14:06 PM
Subject: Re: Securing encrypted data in RAM vs MSSQL
On Wednesday 30 June 2004 20:51, Dave Andrews allegedly wrote:
> Hello All,
> Is anyone aware of a way to store encrypted sensitive data in RAM for
> access via a web application using ASP? It would be posted in the
> same manner. Is storing in RAM preferable to using an encrypted
> database, in this case SQL 2000?
> Is there anyway to securely delete or timeout the data after a
> certain period of time?
> If you discard the data are there potential problems with California
> SB 1386 and being able to track intrusions and possible data
> I'm not a developer, but want a better solution than what the
> developers and client have proposed.
Answers to crypto questions are very seldom simple or short. You've
asked some pretty open-ended questions for which there are many
answers. Choosing from among them will be your real task. Before you
do, I would urge you to at least skim _Practical_Cryptography_ by Niels
Ferguson and Bruce Schneier (ISBN 0-471-22357-3). Doing crypto well is
*very* hard. This book should help provide you with a context from
within which to evaluate the answers you get.
George W. Capehart
Key fingerprint: 3145 104D 9579 26DA DBC7 CDD0 9AE1 8C9C DD70 34EA
"With sufficient thrust, pigs fly just fine." -- RFC 1925