WebApp Sec mailing list archives
RE: secure storage of sensitive data in J2EE
From: Alexander Klimov <alserkli () inbox ru>
Date: Mon, 31 Jan 2005 11:01:09 +0200 (IST)
On Mon, 31 Jan 2005, Erez Metula wrote:
I think that the issue here is sensitive information stored on the server side like connection strings, encryption keys and such. You can't ask the user to enter a password for this kind of information. Storing this information in a file in cleartext, won't protect this information from someone who has access to the server, for example a legitimate (malicious) admin user or a hacker who had managed to break into the system.
It is not worth worring about malicious admins: he can add a keylogger to get the password, he can change the app to send him secret keys, etc. You have to trust[*] your admin at least on systems where admin can do everything (Note that in many cases even if it seems that admin can't do everything (as, e.g., on windows) in fact he can) [*] "In the US Department of Defense, a `trusted system or component' is defined as `one which can break the security policy'" -- Regards, ASK
Current thread:
- secure storage of sensitive data in J2EE chaim moshe (Jan 27)
- Re: secure storage of sensitive data in J2EE Alexander Klimov (Jan 27)
- RE: secure storage of sensitive data in J2EE Erez Metula (Jan 30)
- RE: secure storage of sensitive data in J2EE Alexander Klimov (Feb 02)
- RE: secure storage of sensitive data in J2EE Jaime Spicciati (Feb 02)
- RE: secure storage of sensitive data in J2EE Erez Metula (Jan 30)
- Re: secure storage of sensitive data in J2EE Valdis . Kletnieks (Jan 27)
- Re: secure storage of sensitive data in J2EE Sean Radford (Jan 27)
- Re: secure storage of sensitive data in J2EE Steve Taylor (Jan 27)
- Re: secure storage of sensitive data in J2EE Kevin Conaway (Feb 07)
- Re: secure storage of sensitive data in J2EE Dimitris Mistriotis (Feb 07)
- Re: secure storage of sensitive data in J2EE Antoine Martin (Feb 07)
- Re: secure storage of sensitive data in J2EE Valdis . Kletnieks (Feb 07)
- Re: secure storage of sensitive data in J2EE Ashish Popli (Feb 09)
- Re: secure storage of sensitive data in J2EE Kevin Conaway (Feb 09)
(Thread continues...)
- Re: secure storage of sensitive data in J2EE Alexander Klimov (Jan 27)