RE: Securing encrypted data in RAM vs MSSQL

["Stan Guzik" <SGuzik () ImmediaTech com>]

See reply below. 

Good Luck,
Stan

-----Original Message-----
From: Dave Andrews [mailto:dave () pint com] 
Sent: Wednesday, June 30, 2004 8:52 PM
To: webappsec () securityfocus com; forensics () securityfocus com
Subject: Securing encrypted data in RAM vs MSSQL

Hello All, 

Is anyone aware of a way to store encrypted sensitive data in RAM for
access via a web application using ASP?

1) You can create an ActiveX EXE that will remain in memory.  When the
web application loads instantiate the ActiveX EXE and access it like any
other dll.


  It would be posted in the same
manner.
Is storing in RAM preferable to using an encrypted database, in this
case SQL 2000?

2) It depends on the application and network environment.  This is a
difficult question to answer not knowing more details.

Is there anyway to securely delete or timeout the data after a certain
period of time?  

3) A. If you store the data in memory you can kill the instance of the
object and the memory will be released.  Depending on the type of RAM
you have the data may or may nor remain on the chip for a short period
of time.

 B. I'm not sure how to easily delete data from a SQL Server DB and not
have it recovered by a forensics tool.  A difficult way of doing it is
to compact the SQL Server DB which will shrink the DB file size and then
use PGP Freespace Wipe to permanently delete any residual data on the
hard drive.    This is a good question, anybody know of a better way?

C. PGP Wipe is a good tool with API support to delete files so a
forensics tool can't recover the data.

If you discard the data are there potential problems with California SB
1386 and being able to track intrusions and possible data compromise?

I'm not a developer, but want a better solution than what the developers
and client have proposed.

Thanks in advance
Dave Andrews
PINT, Inc 
2105 Garnet Ave. Suite E 
San Diego, CA 92109 
TEL 858.270.2086 
FAX 858.270.0410