Sufficient Encryption?Sep 24 2009 12:51PM Hart, Lee Anne (LeeAnne Hart montgomerycollege edu) (2 replies)
Hi,
I'm currently conducting a web application security assessment and would like this groups opinion on an encryption question. This particular application is a web portal and it "facilitates" authentication to other external web applications by storing the external web apps passwords (stored in the Secret Store). To store these external passwords, the system encrypts the passwords with a key that is based on the user's system login password (currently there are no password restriction so the password can be weak). The Secret Store encryption employs 128-bit RC4 using an encryption key that is derived from the MD5 hash of the user's static ID and login password.
In your opinion is this level of encryption sufficient? The web application and external web applications do store sensitive information about users, in this case they are students attending college.
I'm currently conducting a web application security assessment and would like this groups opinion on an encryption question. This particular application is a web portal and it "facilitates" authentication to other external web applications by storing the external web apps passwords (stored in the Secret Store). To store these external passwords, the system encrypts the passwords with a key that is based on the user's system login password (currently there are no password restriction so the password can be weak). The Secret Store encryption employs 128-bit RC4 using an encryption key that is derived from the MD5 hash of the user's static ID and login password.
In your opinion is this level of encryption sufficient? The web application and external web applications do store sensitive information about users, in this case they are students attending college.
Thank you!
Lee Anne
[ reply ]