key storage

Paul Rubin http
Fri Aug 27 04:55:50 CEST 2004

Ajay <abra9823 at> writes:
> the MIT paper mentions including HMAC's in the cookie and so on. the
> question still is - how are the keys stored? HMAC's require a key, as do
> digital signatures. how are all these keys stored in a secure manner on
> the server? obviously they's be encrypted but then the key used for
> encrypting the above key - how is that stored?

Well, just what are you trying to protect?  Access to the application
and its data?  What happens if you just put the key in a disk file?
If someone can get at it, can't they also get at the rest of the data,
so the key is no longer helping protect that data?  Who are you trying
to keep the key secret from?

More information about the Python-list mailing list