key storage

Ajay abra9823 at mail.usyd.edu.au
Fri Aug 27 00:13:48 EDT 2004 

--
Ajay Brar,
CS Honours 2004
Smart Internet Technology Research Group


Quoting Paul Rubin <"http://phr.cx"@NOSPAM.invalid>:

> Ajay <abra9823 at mail.usyd.edu.au> writes:
> > the MIT paper mentions including HMAC's in the cookie and so on. the
> > question still is - how are the keys stored? HMAC's require a key, as
> do
> > digital signatures. how are all these keys stored in a secure manner
> on
> > the server? obviously they's be encrypted but then the key used for
> > encrypting the above key - how is that stored?
>
> Well, just what are you trying to protect?  Access to the application
> and its data?  What happens if you just put the key in a disk file?
> If someone can get at it, can't they also get at the rest of the data,
> so the key is no longer helping protect that data?  Who are you trying
> to keep the key secret from?
> --

well i am really trying to restruct access to certain users. session
management is done using a cookie, and the cookie includes a key hashed
digest of the rest of the cookie data. so thats the first key. the second
key is the private key used to sign documents which users can download
from the site. so its basically access to the application that i am trying
to protect.
i dont intend to put the key in an unencrypted form on a file and leave it
there - and hence my question. and the best answer so far has been some
sort of proxy service activated using a passphrase which deciphers a
passphrase encrypted file and reads keys from there. a second option may
be a similar service which is started by an admin and reads keys from the
file. the file can then be removed from the server and the keys stay in
memory. my app can then request the keys from the proxy.
ofcourse this then involves ensuring authroized access only to the proxy
and whole new set of mechanisms to prevent unauthorized access to the
proxy.
any more suggestions are most welcome.

cheers

> http://mail.python.org/mailman/listinfo/python-list
>


----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

More information about the Python-list mailing list