WebApp Sec mailing list archives

Re: Encrypting Cached data

From: Georgi Alexandrov <georgi.alexandrov () gmail com>
Date: Tue, 06 Dec 2005 17:33:59 +0200

Hudel, Chris wrote:

I believe the author is talking about creating or using a cache for the
application, not the end-user's cache. Ie: Fetch account details from
the mainframe and cache them for faster customer page reloads.  The
tricky part is, if you use the application to protect the cache and the
application becomes hacked, then well - the cache data becomes
available. (You could argue this is not an increase in risk, since if
the application is hacked, the hacked app could be expected to access
the mainframe and fetch current account details anyway)

So, in that case, you might consider protection methods that are
independent of the application.  For example, a smaller DB to store
cache information with row-level encryption, whose key is a derived
based on the individual's temporary session credentials. However, this
might be slower than talking to the mainframe!  Or perhaps an encrypting
file system.

Whatever you decide, some general security principles are in order:
- do not keep any cache on the presentation layer (restrict to
application)
- protect the cache data -at rest- within the cache with the same
security you would protect the data, when stored permanently
- prevent the abuse of application server from bulk disclosure of cache
contents (ie: row-level encryption or protection based on session id)

You might also consider having the cache within the DB or middleware
server (rather than the application server) to move the attack vector
furthest from the end-user.

PS: Regarding the caching of information at the user's browser --
caching is typically enabled and the default setting.  Application
developers need to apply all the proper web server controls to "suggest"
the browser not cache the content. Typically, I've recommended using all
available HTTP no-cache directives, headers, and meta keywords.  While
this may be 'overkill', my experience has been that some browsers just
can't take a hint!

I believe you live in your own world ;-)

Current thread:

Encrypting Cached data Yousef Syed (Dec 01)
- Re: Encrypting Cached data Olaf Reitmaier (Dec 02)
- Re: Encrypting Cached data Georgi Alexandrov (Dec 05)
- <Possible follow-ups>
- RE: Encrypting Cached data Ig Vermaak (Dec 01)
- RE: Encrypting Cached data Hudel, Chris (Dec 05)
  - Re: Encrypting Cached data Yousef Syed (Dec 06)
  - Re: Encrypting Cached data Georgi Alexandrov (Dec 06)