Looking for Suggestions on Creating Hash Key

J

jwwest

I'm building a CGI eCommerce store and I'm looking for ways to create
a decent 2 way encryption. Of course in a scripted language, I don't
want my key in the script itself, but would rather store it somewhere
obfuscated such as in a compiled C++ binary. (I know it doesn't help -
much-, but defense in layers)

A .NET programmer friend of mine uses a method that involves
generating a hash from the Volume ID of the hard drive to use as a
key. I like this approach, but my target platform is Linux which does
not have volume IDs (as far as I know).

Are there any freely available C++ libraries that provide hard drive
information such as cylinders, sectors, etc on which I can make a
string to base my hash? Has anyone done something like this before and
could share some tips?
 
P

ppi

I'm building a CGI eCommerce store and I'm looking for ways to create
a decent 2 way encryption. Of course in a scripted language, I don't
want my key in the script itself, but would rather store it somewhere
obfuscated such as in a compiled C++ binary. (I know it doesn't help -
much-, but defense in layers)

A .NET programmer friend of mine uses a method that involves
generating a hash from the Volume ID of the hard drive to use as a
key. I like this approach, but my target platform is Linux which does
not have volume IDs (as far as I know).

Are there any freely available C++ libraries that provide hard drive
information such as cylinders, sectors, etc on which I can make a
string to base my hash? Has anyone done something like this before and
could share some tips?

The real difficult part is not encryption: it's all the key management
thing - and the key selection is just a very small problem. Each time
I discuss with a client about encryption the first things I ask him
are:
- what are your keys used for e.g. confidentiality, authentication,
signature, non-repudiation ?
- do you have any legal requirements to, if one you your client come
with an encrypted document (random data stream), restore and verify
the content at any point later on (this is mostly done for non
repudiation) ?
- say you are working with visa or mastercard, did you check their
policies regarding security and encryption ? If you do not comply with
their requirements you may be in trouble when being audited by these
guys (and yes they do so if your business starts making real money)
- how long your keys are ? if you select big keys and use/select a
poor key ... Well maybe you should bot bother having so many big key
keys ...

Each of these question trigger answers that will dictate the key
policies: stored on disk, per session only etc.

For the volume ids etc. you want to check /proc and /sys on linux
systems for hardware ids/information. There are a bunch of them,
choose what you want from them, but as you said this quite bad.

Of course since your application may be restored in a different system
in cases of hardware crashes, you better make sure these keys are only
used for transient data i.e. you do not store any encrypted data on
disk using them ...

cheers,
-- paulo
 
J

jwwest

Of course since your application may be restored in a different system
in cases of hardware crashes, you better make sure these keys are only
used for transient data i.e. you do not store any encrypted data on
disk using them ...

That's the point of using a key based on hardware information. If, for
some reason the database and code was compromised (lost backup tape,
etc) it would be useless because the encryption algorithm depends on
the items being on a specific server. This would defeat individuals
restoring the database in a new environment. But yes, key management
would be a pain since I would need to have a copy of the key
available, and would need to decrypt/recrypt all entries in the
database in case of a hardware failure.

Thanks for the suggestion on /proc and /sys, I will check it out.

- James
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,744
Messages
2,569,484
Members
44,903
Latest member
orderPeak8CBDGummies

Latest Threads

Top