RE: Securing encrypted data in RAM vs MSSQL

["Dave Andrews" <dave () pint com>]

Thanks George and to everybody that did respond.  All your advice is
greatly appreciated.
I agree, the questions were rather open-ended.  I left it this way
because I wanted to get a range of answers from people who have
considered the choice of encrypting an application session in memory and
attempting to share those sessions with different applications or merely
PGP encrypting DB data.  

Thanks again,
--Dave Andrews

-----Original Message-----
From: George Capehart [mailto:gwc () acm org] 
Sent: Thursday, July 01, 2004 14:06 PM
To: webappsec () securityfocus com
Subject: Re: Securing encrypted data in RAM vs MSSQL


On Wednesday 30 June 2004 20:51, Dave Andrews allegedly wrote:
> Hello All,
>
> Is anyone aware of a way to store encrypted sensitive data in RAM for 
> access via a web application using ASP?  It would be posted in the 
> same manner. Is storing in RAM preferable to using an encrypted 
> database, in this case SQL 2000?
> Is there anyway to securely delete or timeout the data after a
> certain period of time?
> If you discard the data are there potential problems with California
> SB 1386 and being able to track intrusions and possible data
> compromise?
>
> I'm not a developer, but want a better solution than what the 
> developers and client have proposed.

Dave,

Answers to crypto questions are very seldom simple or short.  You've 
asked some pretty open-ended questions for which there are many 
answers.  Choosing from among them will be your real task.  Before you 
do, I would urge you to at least skim _Practical_Cryptography_ by Niels 
Ferguson and Bruce Schneier (ISBN 0-471-22357-3).  Doing crypto well is 
*very* hard.  This book should help provide you with a context from 
within which to evaluate the answers you get.

Best regards,

George Capehart
-- 
George W. Capehart

Key fingerprint:  3145 104D 9579 26DA DBC7  CDD0 9AE1 8C9C DD70 34EA

"With sufficient thrust, pigs fly just fine."  -- RFC 1925