Secure Coding mailing list archives
RE: Credentials for Application use
From: "Goertzel Karen" <goertzel_karen () bah com>
Date: Thu, 12 May 2005 19:26:03 +0100
I'm wondering whether role-based credentials, vs. individual user credentials, might not make more sense here. Could the database owner key be issued to a role vs. an individual identity? In this way, your human users could be associated with a role that has a right to issue a query to the database via the middleware, but only the middleware would be associated with the role that had access to the key that could decrypt the data that satisfies the user's query. This does not, however, solve the problem of ensuring that the data remain secure once they are decrypted. You don't mention the assurance level of the encryption used in the database - i.e., does it exceed the strength of SSL or TLS with encryption based on AES and Class 3 X.509 certificates? Some interesting work doing on at INRIA in France that may be relevant: www-smis.inria.fr/Etheme_2._Data_confidentiality.html Also, some combination of the capabilities provided by nCipher may be of interest: www. ncipher.com -- Karen Mercedes Goertzel, CISSP Booz Allen Hamilton 703-902-6981 [EMAIL PROTECTED]
Current thread:
- RE: Credentials for Application use, (continued)
- RE: Credentials for Application use Mikey (May 12)
- RE: Credentials for Application use Goertzel Karen (May 11)
- RE: Credentials for Application use Gizmo (May 11)
- RE: Credentials for Application use ljknews (May 11)
- Re: Credentials for Application use Dave Aronson (May 12)
- RE: Credentials for Application use Gizmo (May 12)
- Re: Credentials for Application use Dave Aronson (May 13)
- RE: Credentials for Application use Gizmo (May 11)
- RE: Credentials for Application use Mikey (May 12)
- Re: Credentials for Application use Michael Silk (May 12)
- RE: Credentials for Application use ljknews (May 12)