[Dshield] password security

Stephane Grobety security at admin.fulgan.com
Fri Feb 6 07:30:14 GMT 2009 

Hello,

That is putting too much value in an analogy. If you protect something
that has value, you must also make sure that your protection mechanism
will not lock you out.

In case of software lock, the solution is easy: put a backup of the
key in a place where it is safe, difficult to access and where breach
will be quickly detected. A bank vault is a good exemple of such a
place.

That's also why you should use "multiple stage" encryption when
designing such systems: encrypt the data with a random key and encrypt
that key with a password. You then keep the encrypted version of the
key around (that you can unlock with your password) and the cleartext
version in the vault, in case you need it later.

That way, you can even change the password without affecting either
the backup key or requiring your data to be re-encrypted.

As for the part about "hacking and anti-hacking algorithm", I have no
clue what you're talking about. Should I drink a couple of beers and
try again ? ;)

Stephane

Friday, February 6, 2009, 2:56:59 AM, you wrote:

DDC> I view encryption as the "locking the keys in the safe", approach to 
DDC> security. If you loose the key to the safe, or the lock is broken, 
DDC> you've locked all that information in with no way to get it out. From 
DDC> what I'm seeing, new attacks are forming to break the locks (and keys) 
DDC> in encryption. My approach is from by background in cybernetics. 1st) 
DDC> understand the psychology of the average hacker; 2nd) understand the 
DDC> psychology of camouflage; 3rd) develop a security protocol incorporating 
DDC> both. Basically, if there is a hacking algorithm, then there is an 
DDC> anti-hacking algorithm.

DDC> David Brodbeck wrote:
>> Personally, I favor putting the password file on an encrypted  
>> filesystem, or encrypting it with GPG or a similar tool.  This way I  
>> can pick one secure passphrase to remember instead of having to  
>> remember several.  There are ways for an attacker to get around this,  
>> too, of course, but for me it lowers the risk to an acceptable level.
>>
>>
>> On Feb 5, 2009, at 1:24 PM, Dr. Daniel Carras wrote:
>>
>>   
>>> Understanding (even
>>> briefly) how code is written and what they look for, you can create a
>>> password file on your system, that would not ordinarily be looked for.
>>> It here you place your rarely used password. You may also wish to look
>>> into the history of camouflage. This is what you want to do on your
>>> system, create a camouflaged password file that hackers will not see.
>>>     
>>
>>
>>
>>
>>
>> _______________________________________________
>> Dshield mailing list
>> Dshield at lists.sans.org
>> To change your subscription options (or unsubscribe), see: https://lists.sans.org/mailman/listinfo/list
>>
>>   

DDC> _______________________________________________
DDC> Dshield mailing list
DDC> Dshield at lists.sans.org
DDC> To change your subscription options (or unsubscribe), see: https://lists.sans.org/mailman/listinfo/list



-- 
Best regards,
 Stephane                            mailto:security at admin.fulgan.com

More information about the Dshield mailing list