WebApp Sec mailing list archives
Re: Encrypting Cached data
From: Yousef Syed <yousef.syed () gmail com>
Date: Tue, 6 Dec 2005 17:01:13 +0000
Thanx to everyone for their advice. I think I'll lean toward encrypting the drive/partition where the cache is stored. Thanx, ys On 05/12/05, Hudel, Chris <Chris.Hudel () lendingtree com> wrote:
I believe the author is talking about creating or using a cache for the application, not the end-user's cache. Ie: Fetch account details from the mainframe and cache them for faster customer page reloads. The tricky part is, if you use the application to protect the cache and the application becomes hacked, then well - the cache data becomes available. (You could argue this is not an increase in risk, since if the application is hacked, the hacked app could be expected to access the mainframe and fetch current account details anyway) So, in that case, you might consider protection methods that are independent of the application. For example, a smaller DB to store cache information with row-level encryption, whose key is a derived based on the individual's temporary session credentials. However, this might be slower than talking to the mainframe! Or perhaps an encrypting file system. Whatever you decide, some general security principles are in order: - do not keep any cache on the presentation layer (restrict to application) - protect the cache data -at rest- within the cache with the same security you would protect the data, when stored permanently - prevent the abuse of application server from bulk disclosure of cache contents (ie: row-level encryption or protection based on session id) You might also consider having the cache within the DB or middleware server (rather than the application server) to move the attack vector furthest from the end-user. PS: Regarding the caching of information at the user's browser -- caching is typically enabled and the default setting. Application developers need to apply all the proper web server controls to "suggest" the browser not cache the content. Typically, I've recommended using all available HTTP no-cache directives, headers, and meta keywords. While this may be 'overkill', my experience has been that some browsers just can't take a hint! -----Original Message----- From: Georgi Alexandrov [mailto:georgi.alexandrov () gmail com] Sent: Monday, December 05, 2005 6:26 AM To: webappsec () securityfocus com Subject: Re: Encrypting Cached data Yousef Syed wrote:Hi, Is it possible to encrypt data stored in the cache of a Web Server or Application server? We'd like to use caching for performance reasons, but don't want securedata to be viewable if the server is compromised. What is the best way to do this? Thanx, ys -- Yousef Syed "One senior official said the consultancy "doesn't have the greatest ofreputations among civil servants. They come and state the bleeding obvious using Powerpoint"."Actually i don't think you have a problem at all. 99.9% of the secure/sensitive web data these days is transfered via https (SSL/TLS). E.g. usernames and passwords, credit card information, etc. Proxy/cache servers don't cache SSL/TLS data because it's useless. They cache only the non-encrypted content. regards, Georgi Alexandrov
-- Yousef Syed "One senior official said the consultancy "doesn't have the greatest of reputations among civil servants. They come and state the bleeding obvious using Powerpoint"."
Current thread:
- Encrypting Cached data Yousef Syed (Dec 01)
- Re: Encrypting Cached data Olaf Reitmaier (Dec 02)
- Re: Encrypting Cached data Georgi Alexandrov (Dec 05)
- <Possible follow-ups>
- RE: Encrypting Cached data Ig Vermaak (Dec 01)
- RE: Encrypting Cached data Hudel, Chris (Dec 05)
- Re: Encrypting Cached data Yousef Syed (Dec 06)
- Re: Encrypting Cached data Georgi Alexandrov (Dec 06)