Hi Lee,
First, I assume we are discussing protecting the password just in case the
Portal got hacked and attacker gained access to DB.
Second, this Portal acts like some sort of single-sign-on to other web
applications, where students do not have to enter passwords on each external
application.
if this is the case, then the hashing algorithm will protect the password,
but there is a Risk of gaining access to external applications.
Oldest trick is to replace students passwords with previously known computed
hashes.
best way to protect this kind of applications is to assign private keys to
students ( Asymmetric algorithm) and use it to encrypt their external
passwords using Symmetric algorithm i.e. AES.
DokFLeed
----- Original Message -----
From: "Hart, Lee Anne" <LeeAnne.Hart (at) montgomerycollege (dot) edu [email concealed]>
To: <crypto (at) securityfocus (dot) com [email concealed]>
Sent: Thursday, September 24, 2009 4:51 PM
Subject: Sufficient Encryption?
Hi,
I'm currently conducting a web application security assessment and would
like this groups opinion on an encryption question. This particular
application is a web portal and it "facilitates" authentication to other
external web applications by storing the external web apps passwords (stored
in the Secret Store). To store these external passwords, the system encrypts
the passwords with a key that is based on the user's system login password
(currently there are no password restriction so the password can be weak).
The Secret Store encryption employs 128-bit RC4 using an encryption key that
is derived from the MD5 hash of the user's static ID and login password.
In your opinion is this level of encryption sufficient? The web application
and external web applications do store sensitive information about users, in
this case they are students attending college.
First, I assume we are discussing protecting the password just in case the
Portal got hacked and attacker gained access to DB.
Second, this Portal acts like some sort of single-sign-on to other web
applications, where students do not have to enter passwords on each external
application.
if this is the case, then the hashing algorithm will protect the password,
but there is a Risk of gaining access to external applications.
Oldest trick is to replace students passwords with previously known computed
hashes.
best way to protect this kind of applications is to assign private keys to
students ( Asymmetric algorithm) and use it to encrypt their external
passwords using Symmetric algorithm i.e. AES.
DokFLeed
----- Original Message -----
From: "Hart, Lee Anne" <LeeAnne.Hart (at) montgomerycollege (dot) edu [email concealed]>
To: <crypto (at) securityfocus (dot) com [email concealed]>
Sent: Thursday, September 24, 2009 4:51 PM
Subject: Sufficient Encryption?
Hi,
I'm currently conducting a web application security assessment and would
like this groups opinion on an encryption question. This particular
application is a web portal and it "facilitates" authentication to other
external web applications by storing the external web apps passwords (stored
in the Secret Store). To store these external passwords, the system encrypts
the passwords with a key that is based on the user's system login password
(currently there are no password restriction so the password can be weak).
The Secret Store encryption employs 128-bit RC4 using an encryption key that
is derived from the MD5 hash of the user's static ID and login password.
In your opinion is this level of encryption sufficient? The web application
and external web applications do store sensitive information about users, in
this case they are students attending college.
Thank you!
Lee Anne
[ reply ]