I agree, so long as the “one-way” hash is sufficient. If you need
credentials for authenticating with someone - it might not be. If you
“have to” store credentials, I do NOT recommend using the registry. You
can just as easily use a disk file and protect with a ACL that denies
access to everyone but your service. Also, use Triple-DES or high
strength security and ideally roll the crypto-keys periodically (this
can be a problem if you are storing tons of passwords that you need to
re-encrypt when the key rolls). Rolling keys prevents replays of the
encrypted credentials. Another technique that should be used is
separation of a user’s name and password - or encryption of both. Folks
trying to steal credentials look for patterns - and once they find a
user’s name - they start looking nearby the encrypted password for that
user. If you have hundreds a users and passwords, it will take a hacker
time to figure out which encrypted string goes with which user.
If you are talking about temporary storage for credentials (in memory),
using a driver and Windows privileges is a good technique - since it is
much harder to hack the kernel address space. Just make sure that the
IPC you use to get the credentials is protected with a privilege check
or an access check. Also, you should still encrypt - even when storing
in kernel mode. You have to consider the possibility of a memory.dmp or
something that could be inspected.
/TomH
-----Original Message-----
From: xxxxx@des.co.uk [mailto:xxxxx@des.co.uk]
Sent: Friday, May 23, 2003 9:09 AM
To: File Systems Developers
Subject: [ntfsd] Re: Store passwords in SYS files
Hi,
I wouldn’t recommend storing the actual passwords anywhere! Highly
in-secure!
I would recommend storing a hash of the password or something similar.
Regards
Ben Curley
Software Engineer
Data Encryption Systems Ltd.
-----Original Message-----
From: Seshagiri Babu K V [mailto:xxxxx@sasken.com]
Sent: 23 May 2003 13:43
To: File Systems Developers
Subject: [ntfsd] Re: Store passwords in SYS files
Hi Rohit,
.sys also can be opened for editing…I guess its ur encryption algorithm
that gives security and not the location of the passwords…Afterall
everything on the disk is accessible for an user with Admin account on a
system.
Giri.
Dear All,
I am developing a security/recovery software (in MFC, Visual C++ for
Windows 2000/XP/NT).
Presently I am storing password for opening my application in
Registry
key.
=>ie.HKEY_LOCAL_MACHINE\SOFTWARE\MyApplication\Settings.
But I feel that this key can easily be hacked. And anybody can easily
delete this key.
My question is:
- How can I change the security settings of my password registry key
so
that any user may not be
able to open or delete key ?
- Are there any other secure methods to store the passwords? Can we
store
password in .sys file
which are always in memory ???
Please give your useful suggestions.
Thanks in advance!
Rohit Dhamija
You are currently subscribed to ntfsd as: xxxxx@des.co.uk
To unsubscribe send a blank email to xxxxx@lists.osr.com
You are currently subscribed to ntfsd as: xxxxx@inflectionsystems.com
To unsubscribe send a blank email to xxxxx@lists.osr.com