Re: Encryption Key Question

[David Heise <dheise () gmail com>]

Essentially its not about the user, its about the software. I want to
ensure that only my software can talk to my webservice and vice versa.
I don't care about the user, or who is using it, but the application.
So, the thought is to have a unique method of sending and recieving
data...namely encryption. The user will supply credentials and
authenticate on top of this extra layer.


On Thu, 03 Mar 2005 14:10:06 -0600, Simon Zuckerbraun
<szucker () sst-pr-1 com> wrote:
> David: If I'm understanding you correctly, you have the following
> situation: An application, running on behalf of a particular user, has a
> piece of sensitive data that must be stored on the local computer. You
> are looking for a way to encrypt that data before storing it, so only
> that user will be able to access the data. Any other individual who gets
> access to the machine will not be able to access the data.
>
> Some operating systems have a facility for performing exactly that task.
> In Windows, this is known as DPAPI.
>
> Zaven: Here's a very quick explanation of how DPAPI works in Windows.
> For each user in the system, Windows generates a random "master key"
> used to encrypt the user's secrets. The master key is stored as part of
> the user's profile, encrypted with a key that is derived from the user's
> password. Unless the user is logged on to the system with the proper
> password, the master key can not be decrypted. (Warning! This is a bit
> oversimplified, as I am about to explain...)
>
> Enormous complications result from the fact that we need to be able to
> deal with password changes and resets. If the user forgets his password
> and an administrator forcibly resets it to a different string, there has
> to be some way for the user to regain access to his master key (which
> sits encrypted using the original password). Microsoft went to great
> lengths to ensure a proper balance between security and reliable means
> of recovery in the case of such interruptions in normal operations. In
> practice, the effectiveness of DPAPI depends on certain details of how
> the machine is configured; high-security configurations are achievable.
>
> I could go on and on about this. It's a topic that never ceases to
> facinate me.
>
> Lots can go wrong. Apply Keychain Manager was found to have a bad
> security hole (http://seclists.org/lists/bugtraq/2004/Jul/0166.html). I
> don't know the current status of that issue.
>
> David: You will find out - either that, or you've already found out -
> that there are no universal solutions in security. Every proposed
> solution has to be carefully evaluated to ensure that it accurately
> addresses the threats that are relevant. So I need to add this word of
> caution: I'm not telling you for sure that DPAPI (or the equivalent on
> another OS) is necessarily the appropriate solution to the problem you
> are working on. That's something that can only be decided after a
> careful, holistic study of the environment in which your system will
> operate, and the potential threats that need to be defended against.
>
> Simon
>
> > -----Original Message-----
> > From: Zaven [mailto:zaven () sonic net]
> > Sent: Wednesday, March 02, 2005 11:21 PM
> > To: David Heise; security-basics () securityfocus com
> > Subject: Re: Encryption Key Question
> >
> >
> > David Heise wrote:
> >
> > > Here's my question:
> > > What is the best method of storing this passphrase internally in the
> > > application such that it would be as secure as possible?
> >
> > AFAIK, you can't store the passphrase anywhere securely. You should
> > think in terms of requiring the user/other process/whatever to input the
> > passphrase in to authenticate, and then storing only the hash digest.
> >
> > If anyone knows how (e.g., Apple Keychain Manager) manages to diaplat
> > the plaintext of stored passwords, I'd like to know, because it makes me
> > nervous :)
> >
> > Zaven


-- 
David B Heise [dheise () gmail com]
http://endofuniverse.blogspot.com      Personal Blog
http://students.cs.byu.edu/~dheise    Personal Web
http://www.stonetempest.com           Company