Security Basics mailing list archives
Re: Encryption Key Question
From: David Heise <dheise () gmail com>
Date: Mon, 28 Feb 2005 11:22:12 -0700
For the specific application that I'm doing, the individual security of each customer's location isn't really an issue since this is one minor level of security of the overall application. What are the other problems with this approach? Or better yet, what is a better approach that does NOT rely on the user suppling credentials (req), but can be encoded into the application itself (software only). On Mon, 28 Feb 2005 09:19:44 -0800, David Gillett <gillettdavid () fhda edu> wrote:
Hard coding encryption keys into applications is *extremely* poor practice. The possibility of extracting the key from the binary is only one of the problems with this approach. We have an application here which is coded that way. One of my concerns has to be that every copy of this application at every customer site uses exactly the same hard-coded key, so the security of our data can never be much more than that of the application's LEAST secure customer site. David Gillett-----Original Message----- From: David Heise [mailto:dheise () gmail com] Sent: Friday, February 25, 2005 4:57 PM To: security-basics () securityfocus com Subject: Encryption Key Question I have a situation which seems to be an endless loop but maybe someone out here can help me. I'm using SHA-256 has my hash function and AES as the encryption method. I have a byte array of data and a string that is the passphrase (currently the string is 306 characters long). I hash the passphrase and use it to encrypt the data. Since I'm writing this as part of an application I want to hardcode the passphrase into the application, however as a string it would be fairly simple to find it in the complied code. Here's my question: What is the best method of storing this passphrase internally in the application such that it would be as secure as possible? Unrelated Question: Is there any security hole in using the data as the key? (other than it makes it hard/impossible to get it back out) Thanks -- David B Heise [dheise () gmail com] http://students.cs.byu.edu/~dheise
-- David B Heise [dheise () gmail com] http://endofuniverse.blogspot.com Personal Blog http://students.cs.byu.edu/~dheise Personal Web http://www.stonetempest.com Company
Current thread:
- Encryption Key Question David Heise (Feb 28)
- RE: Encryption Key Question David Gillett (Feb 28)
- Re: Encryption Key Question David Heise (Feb 28)
- RE: Encryption Key Question blind_chipmunk (Mar 01)
- RE: Encryption Key Question Alexander Klimov (Mar 02)
- Re: Encryption Key Question David Heise (Feb 28)
- RE: Encryption Key Question David Gillett (Feb 28)
- Re: Encryption Key Question Zaven (Mar 03)
- <Possible follow-ups>
- RE: Encryption Key Question Simon Zuckerbraun (Mar 04)
- Re: Encryption Key Question David Heise (Mar 04)
- RE: Encryption Key Question David Gillett (Mar 04)
- Re: Encryption Key Question David Heise (Mar 04)
- RE: Encryption Key Question Simon Zuckerbraun (Mar 04)
- RE: Encryption Key Question Simon Zuckerbraun (Mar 04)
- Re: Encryption Key Question Dr. S. A. Vetha Manickam (Mar 04)