|
Posted by on August 12, 2005, 3:32 pm
If you were Registered and logged in, you could reply and use other advanced thread options
Hello,
I am in discussions with a vendor regarding the storing of encryption
keys on systems that exchange information through an application. The
vendor is advising against storing the keys in the registry and
suggests hiding them somewhere in the filesystem. They suggest that
the registry is the first place an attacker would look.
The systems are open to the public internet and web traffic. If the
keys need to be accessible to the system somewhere locally, which would
be a better place to store the keys and why? I would think the
registry would be safer than the file system. Thanks in advance.
Phillip
|
|
Posted by Unruh on August 12, 2005, 11:07 pm
If you were Registered and logged in, you could reply and use other advanced thread options
phillipkim1@yahoo.com writes:
>Hello,
>I am in discussions with a vendor regarding the storing of encryption
>keys on systems that exchange information through an application. The
>vendor is advising against storing the keys in the registry and
>suggests hiding them somewhere in the filesystem. They suggest that
>the registry is the first place an attacker would look.
>The systems are open to the public internet and web traffic. If the
>keys need to be accessible to the system somewhere locally, which would
>be a better place to store the keys and why? I would think the
>registry would be safer than the file system. Thanks in advance.
Yee gads. Is it better if I have my leg chopped off or is it better if I
chop off my hand. I think that this system needs rethinking. The registry
or a file are almost equally bad as you have to assume that the attacker
will know where the keys are kept. It is not a secret which you should have
any confidence that you can keep (especially as you are running a Windows
machine, whose ability to keep secrets is not very great)
(For all you know one of the employees of the vendor's
company is a spy for the Mafia).
Why do the keys need to on that system at all? Why cannot the critical
infomation be kept on a machine which is not connected to the net, except
perhaps by a very very very restricted or even one way pipe?
>Phillip
|
|
Posted by TC on August 12, 2005, 11:35 pm
If you were Registered and logged in, you could reply and use other advanced thread options
tools from various sources. So you have to assume that whatever you put
in either place, is actually open for all to see.
HTH,
TC
|
|
Posted by Joseph Ashwood on August 13, 2005, 3:44 am
If you were Registered and logged in, you could reply and use other advanced thread options > Hello,
>
> I am in discussions with a vendor regarding the storing of encryption
> keys on systems that exchange information through an application. The
> vendor is advising against storing the keys in the registry and
> suggests hiding them somewhere in the filesystem. They suggest that
> the registry is the first place an attacker would look.
>
> The systems are open to the public internet and web traffic. If the
> keys need to be accessible to the system somewhere locally, which would
> be a better place to store the keys and why? I would think the
> registry would be safer than the file system. Thanks in advance.
I'll agree with Unruh that the situation is not at it's best.
IIRC correctly it is easier to protect something in the windows registry by
using the encrypted interfaces, but IIRC these are broken so the extra
security is minimal at best. The typical way of creating a system that has
the potential to be secure is to store Encrypt(User_key, encryption_keys)
(i.e. encryption_keys encrypted with the User_key), then require that the
user enter the User_key, this is a very simplified (e.g. has holes) version
of what PGP does, where the storage occurs actually becomes generally
irrelevant.
To have something secure requires secure storage of some kind, whether that
is hardware or the human brain is a potentially very complex design
decision.
Joe
|
|
Posted by Volker Birk on August 13, 2005, 9:10 am
If you were Registered and logged in, you could reply and use other advanced thread options
> I am in discussions with a vendor regarding the storing of encryption
> keys on systems that exchange information through an application. The
> vendor is advising against storing the keys in the registry and
> suggests hiding them somewhere in the filesystem. They suggest that
> the registry is the first place an attacker would look.
> The systems are open to the public internet and web traffic. If the
> keys need to be accessible to the system somewhere locally, which would
> be a better place to store the keys and why? I would think the
> registry would be safer than the file system. Thanks in advance.
Don't store unencrypted keys anywhere, where other users theoretically
can read them.
Better use a passphrase and store them encrypted, or store them in
a crypto-container.
It does not matter, wether you store them in the registry or in a file
system. "Hiding" them by obscuring the place they're stored, will not
work at all.
Posting has nothing to do with the science of cryptography, so F'up
corrected.
Yours,
VB.
--
"Almighty Father, who wilt hear the prayer of those that love Thee, we pray
Thee to be with those who brave heights of Thy heaven and who carry the
battle to our enemies. Guard and protect them, we pray Thee, as they fly
the appointed rounds." - Chaplain William Downey, prayer for the Enola Gay.
|
| Similar Threads | Posted | | typical approach for encryption using keys? | June 27, 2007, 6:20 am |
| Newbie question on encryption keys | July 10, 2007, 3:05 am |
| Hiding ip with proxy | June 29, 2005, 7:35 am |
| Hiding my identity from Word document files | June 12, 2007, 12:02 pm |
| why non exportable keys? | March 11, 2006, 10:20 am |
| How keys should be distributed? | May 8, 2007, 11:29 pm |
| How do I export only private keys in PGP? | August 6, 2005, 7:45 am |
| registry keys for virus scanners | February 3, 2005, 2:59 pm |
| what are 16- or 25-digit license keys and how to create? | April 7, 2005, 10:56 am |
| how to send data using crypto keys? | May 6, 2005, 7:15 pm |
|
XML site map