|
|
Posted by Andy Hassall on 07/03/06 19:27
On Mon, 3 Jul 2006 19:05:55 +0200, "Alvaro G. Vicario"
<webmaster@NOSPAMdemogracia.com> wrote:
>Im writing a web application that needs to keep passwords in a database.
>These passwords are for third-party services and are different from the
>regular login passwords.
>
>I dont like storing this sensitive info as plain text and one-way hashing
>is not an option because I need the actual passwords. Ive done some quick
>research and it seems that symmetric encryption algorithms (blowfish, AES
)
>provide a reasonable solutionI dont need a 100% hacker-proof system but I
>dont want my security to be too dumb.
>
>These encryption methods, of course, rely on secret keys. And thats my
>doubt: how do I keep these keys so the system is not too insecure?
The first thing to ask is what do you trust?
Are you the administrator of the machine, and/or do you trust the person with
root, and are you the only user of the system? If all of the above, storing the
key on the machine _may_ be acceptable, but it still depends on the sensitivity
of the data.
If you don't explicitly trust the admin, then you can't store the keys on the
server for the reasons you state, because you can't keep a secret hidden in
that case.
>An include file with a constant or variable must be world-readable if I want
>to use if from a web site.
Careful there - it needs to be web-server readable, which is not quite as
broad as world-readable - although in shared hosting it's practically the same.
There are ways to configure your webserver to run specific scripts under your
own user credentials instead of "nobody" or whatever generic user that they're
normally run as. This means that you would be able to access a file that is
readable by your user only, and inaccessible to other users.
To read the file, other users on the machine would have to break into your
account, either to read it directly, or to change the ownership on their own
scripts to run as you. This doesn't protect at all from abuse by root, but
works against other normal users.
Look up "suexec" and "cgiwrap". Since these generally run as CGI instead of
module you lose some performance, but you can localise the impact to just the
scripts that need it.
>If I use the regular login password as key (its
>stored as an MD5 hash so it has to be typed every time), users will lose
>all their passwords whenever they forget their login info.
Is that necessarily a bad thing?
If it is, I wonder if there's an approach you could use where the data is
encrypted against _two_ secret keys; the user's own login credentials, and an
administrator key that only you know, and don't store on the machine.
That way, if a user loses their password, you can do a password reset, decrypt
their data using your admin key, and re-encrypt it using their new password.
--
Andy Hassall :: andy@andyh.co.uk :: http://www.andyh.co.uk
http://www.andyhsoftware.co.uk/space :: disk and FTP usage analysis tool
Navigation:
[Reply to this message]
|