key storage
Ajay
abra9823 at mail.usyd.edu.au
Thu Aug 26 22:11:19 EDT 2004
hi!
i have already read the paper and am following the hints mentioned in the
paper and also work in the same area mentioned in a couple of reports from
the Open Web application security project.
the MIT paper mentions including HMAC's in the cookie and so on. the
question still is - how are the keys stored? HMAC's require a key, as do
digital signatures. how are all these keys stored in a secure manner on
the server? obviously they's be encrypted but then the key used for
encrypting the above key - how is that stored?
if you have implemented the system...can i ask you how you stored the keys?
cheers
Quoting "Eric S. Johansson" <esj at harvee.org>:
> Ajay wrote:
>
> > hi!
> > i am building a web application. for client authentication, i am using
> > cookies which include the HMAC of the data.
> > the server also has a public/private key pair for signing and
> verifying
> > information.
>
> start here. This is a really good site for Web based authentication
> techniques. I've implemented the system and you are more than welcome
> to the code. It may need some disentangling from my CGI/form
> support/template environmentbut don't say you weren't warned. ;-)
>
> http://cookies.lcs.mit.edu/pubs/webauth.html
>
> let me know if I can help
>
> --- eric
>
> --
> http://mail.python.org/mailman/listinfo/python-list
>
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
More information about the Python-list
mailing list