| Subject | Re: [IB-Architect] Re: Nailing down the external file problem. |
|---|---|
| Author | Mauricio Longo |
| Post date | 2001-01-10T11:42:48Z |
Hi,
chalenges from your childhood to see if it's really her and not an
impersonator. :-)
key on the server. Considering that no system is safe, Phil Zimmerman
(creator of PGP), repeatedly points out in his PGP documentation that you
are responsible for the safety of your computer. PGP trusts that the system
is free of virus and trojans and so makes
no effort to defend itself from these aggressors.
I've been working in a PKI related project for over 3 years now. Only
recently I've come to understand that you are never paranoid enough to stop
everyone and that there is a point where you might actualy stop yourself and
your system with too much security complexity without actually achieving
your goal of stopping invasion.
path. This would, also, vault InterBase right to the top of the stack of
dabase servers, where PKI enabled solutions are required. It seems that
Oracle started down this path but in a road full of bumps. (I've heard
several serious security problems related, including one where you are
allowed to upload Java code that will have complete access to the data in
the database and can so return such data to you, even though you do not
access previleges to that data.
symmetric algorithms. I've heard that there are known attacks that can be
used in most variants of DES, including 3DES, that significantly reduce the
work involved in a brute force attack, while no such attacks have been
discovered for Blowfish (TwoFish is after all younger, but also with no
known vulnerabilities.)
from an authority such as Verisign. I believe however that you should be
able to create your own CA and sign your own certificates without having to
pay for it.
associate InterBase with a technology that considered "state of the art" at
this time. Even though I know from direct experience that many offerings in
the PKI market are riddled with holes.
client and server which would be a very nice marketing touch too. After
all, people need good reasons to move from other DBs to InterBase and a free
DB that offers better support for market standards is a very atractive
alternative, from my point of view.
3 months by a person working on it on his spare time.
Imagine how incorrectly safe the users of such solution must feel...
Best regards,
Mauricio Longo
> Hi Jim et al.Nowadays, before you give your mother a kiss you have to present her a few
>
> --- In IB-Architect@egroups.com, Jim Starkey <jas@n...> wrote:
>
> >
> > Virtually everything about ISC4.GDB is flawed -- the concept, the
> > design, and the implementation. An example of the bad thinking
> > is the idea of client side encryption of passwords. They were
> > obviously worried about someone sniffing the packets and discovering
> > the password. So they sent the encrypted password. What didn't
> > occur them was that an intercepted encrypted password was just
> > as good as an unencrypted password. Either will give you access.
> >
>
> Yes this particularly points to not really understanding it. It
> implies trust in all possible client processes by the server. Not
> really acceptable nowadays.
>
>
chalenges from your childhood to see if it's really her and not an
impersonator. :-)
> > >AFAIK any further security will require some form of encryption,I'd leave open an alternative that is not too complex to store the private
> and
> > >the only way this would be properly secure is if the key was
> provided
> > >manually every time the server restarts - which is rather
> impractical
> > >for a database distributed to many customers that dont know the
> key.
> > >(And there are existing solutions to support the manually entered
> key
> > >scenario.)
> >
>
> This is basically the case in most server environments, that run
> unattended. The private key sits somewhere or the password to acess
> the encrypted key does (host name or something). If you are serious
> then you have hardware boards where the private key never leaves it.
>
> It is important the realise that if the server is compromised then the
> local programs can be manipulated and then basically you are stuffed
> (Ok there are some cases with hardward crypto and both client and
> server certificates...).
>
>
key on the server. Considering that no system is safe, Phil Zimmerman
(creator of PGP), repeatedly points out in his PGP documentation that you
are responsible for the safety of your computer. PGP trusts that the system
is free of virus and trojans and so makes
no effort to defend itself from these aggressors.
I've been working in a PKI related project for over 3 years now. Only
recently I've come to understand that you are never paranoid enough to stop
everyone and that there is a point where you might actualy stop yourself and
your system with too much security complexity without actually achieving
your goal of stopping invasion.
> > Not so. Here is a simple scheme that works:A complete PKI solution is cartainly the way to go, once you start down this
> >
>
> I know you said simple, but it's basically points the right way to go,
> so here are my comments on what can be added (Im going for a complete
> PKI solution with a CA not just generate a RSA keypair on the fly):
>
path. This would, also, vault InterBase right to the top of the stack of
dabase servers, where PKI enabled solutions are required. It seems that
Oracle started down this path but in a road full of bumps. (I've heard
several serious security problems related, including one where you are
allowed to upload Java code that will have complete access to the data in
the database and can so return such data to you, even though you do not
access previleges to that data.
> > 1. Server generates a public key encyption key pair at startupFrom what I've heard Blowfish or TwoFish might be better options of
> > time.
>
> Server generates install or at user discression a root CA certificate.
> The Ca cert private key is held encrypted (usually 3DES) and requires
> a user entered password to be used.
>
symmetric algorithms. I've heard that there are known attacks that can be
used in most variants of DES, including 3DES, that significantly reduce the
work involved in a brute force attack, while no such attacks have been
discovered for Blowfish (TwoFish is after all younger, but also with no
known vulnerabilities.)
> A server certificate and private key is generated, the server privateSpecially if it is possible, but not required that you use a certificate
> key is stored on disk accessible only to the server process, perhaps
> encrypted with a local password.
>
> Having a PKI CA structure leaves open the option then that the client
> can authenticate that the server is valid (handy across the internet).
> And the possibility of generating client certificates at some stage as
> well which is a bit tougher login process than just a password and is
> also useful.
>
>
from an authority such as Verisign. I believe however that you should be
able to create your own CA and sign your own certificates without having to
pay for it.
>One cheap alternative hardware nowadays is the mini-key.
> Usually the private key is stored in 3DES encrypted format on the
> server somewhere (or in a smartcard). the password needs to be stored
> somewhere, but there is an assumption that the server box is secure,
> since if that fails, then someone could knock off the server process
> anyway and replace it.
>
> I think the PKI works well, since it would allow the client toCouldn't agree more. It would also be very good marketing-wise. It would
> authenticate the server avoiding man in the middle, attacks.
>
associate InterBase with a technology that considered "state of the art" at
this time. Even though I know from direct experience that many offerings in
the PKI market are riddled with holes.
> Also it is fairly easy to extend the above into an true SSL session,Very good addition, SSL would give us standards complient encryption between
> if the client has a certificate generated by the same CA. The
> possibility of sharing the CA amongst several servers is also
> possible.
>
>
client and server which would be a very nice marketing touch too. After
all, people need good reasons to move from other DBs to InterBase and a free
DB that offers better support for market standards is a very atractive
alternative, from my point of view.
>I've watched a commercial PKI solution be torn to pieces over the period of
> Because if you are deluded into thinking you have a secure system,
> that probably places you in a worse position than having an insecure
> system in the first place.
>
>
3 months by a person working on it on his spare time.
Imagine how incorrectly safe the users of such solution must feel...
Best regards,
Mauricio Longo