MYSQL and PHP

Thread: MYSQL and PHP

Search this list only Search all lists
MYSQL and PHP
	2006-05-16 18:05:28
Absolutely - if all you do is store the passwords in a file and then need a key to decrypt the file you have to figure out what to do with that key. There is no such thing as a security system that is both useful and impenetrable. Often our job as security professionals is to "raise the bar" on security to make systems hard enough to penetrate that system compromise becomes a manageable risk. Thus, encrypting that file and managing the keys carefully raises the bar. There are a variety of key management strategies; some of them are pretty complicated. The more diligent you get with key management the more complex your software may become. One PHP app I seen a while back had a username and password in the PHP source much like that shown in the original post here. However, that username and password only had SELECT access on a table that was used to validate the user's credentials and one other table that held additional database access information. Not a perfect solution, but raises the bar a bit. Another solution I've seen is to store the keys on another system, typically behind another firewall. When the application starts, it would have to make a connection to the key server, authenticate in some manner, and retrieve the key. If the hacker roots the box, it is only a matter of time until he can figure this all out, but slowing down the hacker is the whole idea. Gerald Quakenbush Author of 'Web Hacker Boot Camp' http://www.quakenbush.com Robin Wood (dninjagmail.com) wrote: > > On 5/16/06, Gerald Quakenbush <geraldqmastermindsecuritygroup.com> wrote: > > John - > > > > Of course, one should also get the code updated and have it read and encrypted > > file and decrypt the credentials. > > > > > > Gerald Quakenbush > > Author of 'Web Hacker Boot Camp' > > http://www.quakenbush.com > > > > Doesn't this give you a chicken and egg situation of where do you > store the key for the encrypted file? > ------------------------------------------------------------ ------------- Sponsored by: Watchfire Watchfire named worldwide market share leader in web application security assessment by leading market research firm. Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. See for yourself. Download a Free Trial of AppScan 6.0 today! https://www.watchfire.com/securearea/apps cansix.aspx?id=701300000007t9c ------------------------------------------------------------ --------------

[1]

about | contact Other archives ( Real Estate discussion Medical topics )