WebApp Sec mailing list archives
RE: Securing encrypted data in RAM vs MSSQL
From: "Dave Andrews" <dave () pint com>
Date: Thu, 1 Jul 2004 14:47:48 -0700
Thanks George and to everybody that did respond. All your advice is greatly appreciated. I agree, the questions were rather open-ended. I left it this way because I wanted to get a range of answers from people who have considered the choice of encrypting an application session in memory and attempting to share those sessions with different applications or merely PGP encrypting DB data. Thanks again, --Dave Andrews -----Original Message----- From: George Capehart [mailto:gwc () acm org] Sent: Thursday, July 01, 2004 14:06 PM To: webappsec () securityfocus com Subject: Re: Securing encrypted data in RAM vs MSSQL On Wednesday 30 June 2004 20:51, Dave Andrews allegedly wrote:
Hello All, Is anyone aware of a way to store encrypted sensitive data in RAM for access via a web application using ASP? It would be posted in the same manner. Is storing in RAM preferable to using an encrypted database, in this case SQL 2000? Is there anyway to securely delete or timeout the data after a certain period of time? If you discard the data are there potential problems with California SB 1386 and being able to track intrusions and possible data compromise? I'm not a developer, but want a better solution than what the developers and client have proposed.
Dave, Answers to crypto questions are very seldom simple or short. You've asked some pretty open-ended questions for which there are many answers. Choosing from among them will be your real task. Before you do, I would urge you to at least skim _Practical_Cryptography_ by Niels Ferguson and Bruce Schneier (ISBN 0-471-22357-3). Doing crypto well is *very* hard. This book should help provide you with a context from within which to evaluate the answers you get. Best regards, George Capehart -- George W. Capehart Key fingerprint: 3145 104D 9579 26DA DBC7 CDD0 9AE1 8C9C DD70 34EA "With sufficient thrust, pigs fly just fine." -- RFC 1925
Current thread:
- Securing encrypted data in RAM vs MSSQL Dave Andrews (Jul 01)
- Re: Securing encrypted data in RAM vs MSSQL George Capehart (Jul 01)
- <Possible follow-ups>
- RE: Securing encrypted data in RAM vs MSSQL Stan Guzik (Jul 01)
- Re: Securing encrypted data in RAM vs MSSQL Toro, Daniel (Jul 01)
- RE: Securing encrypted data in RAM vs MSSQL Bénoni MARTIN (Jul 01)
- RE: Securing encrypted data in RAM vs MSSQL Yvan Boily (Jul 01)
- RE: Securing encrypted data in RAM vs MSSQL Dean Saxe (Jul 01)
- RE: Securing encrypted data in RAM vs MSSQL Bénoni MARTIN (Jul 01)
- RE: Securing encrypted data in RAM vs MSSQL Mark Curphey (Jul 01)
- RE: Securing encrypted data in RAM vs MSSQL Dave Andrews (Jul 01)
- RE: Securing encrypted data in RAM vs MSSQL Philip Wagenaar (Jul 02)
- Re: Securing encrypted data in RAM vs MSSQL Lucas Holt (Jul 06)
- Re: Securing encrypted data in RAM vs MSSQL Ivan Krstic (Jul 06)
- RE: Securing encrypted data in RAM vs MSSQL Philip Wagenaar (Jul 02)
- RE: Securing encrypted data in RAM vs MSSQL Michael Silk (Jul 02)
- Re: Securing encrypted data in RAM vs MSSQL exon (Jul 02)
- RE: Securing encrypted data in RAM vs MSSQL Bénoni MARTIN (Jul 02)
- Re: Securing encrypted data in RAM vs MSSQL Ivan Krstic (Jul 02)