WebApp Sec mailing list archives
RE: Securing encrypted data in RAM vs MSSQL
From: Bénoni MARTIN <Benoni.MARTIN () libertis ga>
Date: Thu, 1 Jul 2004 18:19:25 +0100
Well, there is always a way to recover the real password or login from a hash...the matter's is the time it will take! The method to "dehash" a hash is quite simple: as theorically a hash_1 can be produced by a single pass_1/login_1/..., we can create a huge amount of random pass_2/logins_2/..., hash them with MD5/SHA-1/... and then compare each of them with our hash_1. ASA the two hashes are the same, we can pick up the pass/login/... which produced hash_2. Quite simple but really long to perform. BTW, Cain & Abel, John the Ripper and Crack can perform such recoveries... :) -----Message d'origine----- De : Toro, Daniel [mailto:tcvx () taconvino cl] Envoyé : jeudi 1 juillet 2004 17:33 À : Stan Guzik; Dave Andrews; webappsec () securityfocus com; forensics () securityfocus com Objet : Re: Securing encrypted data in RAM vs MSSQL Related to point 3.A below: Is it really necessary to delete the data if it's encrypted with a one-way encryption algo like MD5? There's no way to recover data from the message digest produced by MD5 that I know of. Of course, I don't know everithing. :-) On Thu, 1 Jul 2004 09:24:55 -0400, Stan Guzik <SGuzik () ImmediaTech com> wrote:
See reply below. Good Luck, Stan -----Original Message----- From: Dave Andrews [mailto:dave () pint com] Sent: Wednesday, June 30, 2004 8:52 PM To: webappsec () securityfocus com; forensics () securityfocus com Subject: Securing encrypted data in RAM vs MSSQL Hello All, Is anyone aware of a way to store encrypted sensitive data in RAM for access via a web application using ASP? 1) You can create an ActiveX EXE that will remain in memory. When the web application loads instantiate the ActiveX EXE and access it like any other dll. It would be posted in the same manner. Is storing in RAM preferable to using an encrypted database, in this case SQL 2000? 2) It depends on the application and network environment. This is a difficult question to answer not knowing more details. Is there anyway to securely delete or timeout the data after a certain period of time? 3) A. If you store the data in memory you can kill the instance of the object and the memory will be released. Depending on the type of RAM you have the data may or may nor remain on the chip for a short period of time. B. I'm not sure how to easily delete data from a SQL Server DB and not have it recovered by a forensics tool. A difficult way of doing it is to compact the SQL Server DB which will shrink the DB file size and then use PGP Freespace Wipe to permanently delete any residual data on the hard drive. This is a good question, anybody know of a better way? C. PGP Wipe is a good tool with API support to delete files so a forensics tool can't recover the data. If you discard the data are there potential problems with California SB 1386 and being able to track intrusions and possible data compromise? I'm not a developer, but want a better solution than what the developers and client have proposed. Thanks in advance Dave Andrews PINT, Inc 2105 Garnet Ave. Suite E San Diego, CA 92109 TEL 858.270.2086 FAX 858.270.0410
-- TCV
Current thread:
- Securing encrypted data in RAM vs MSSQL Dave Andrews (Jul 01)
- Re: Securing encrypted data in RAM vs MSSQL George Capehart (Jul 01)
- <Possible follow-ups>
- RE: Securing encrypted data in RAM vs MSSQL Stan Guzik (Jul 01)
- Re: Securing encrypted data in RAM vs MSSQL Toro, Daniel (Jul 01)
- RE: Securing encrypted data in RAM vs MSSQL Bénoni MARTIN (Jul 01)
- RE: Securing encrypted data in RAM vs MSSQL Yvan Boily (Jul 01)
- RE: Securing encrypted data in RAM vs MSSQL Dean Saxe (Jul 01)
- RE: Securing encrypted data in RAM vs MSSQL Bénoni MARTIN (Jul 01)
- RE: Securing encrypted data in RAM vs MSSQL Mark Curphey (Jul 01)
- RE: Securing encrypted data in RAM vs MSSQL Dave Andrews (Jul 01)
- RE: Securing encrypted data in RAM vs MSSQL Philip Wagenaar (Jul 02)
- Re: Securing encrypted data in RAM vs MSSQL Lucas Holt (Jul 06)
- Re: Securing encrypted data in RAM vs MSSQL Ivan Krstic (Jul 06)
- RE: Securing encrypted data in RAM vs MSSQL Philip Wagenaar (Jul 02)
- RE: Securing encrypted data in RAM vs MSSQL Michael Silk (Jul 02)
- Re: Securing encrypted data in RAM vs MSSQL exon (Jul 02)