The Design of Software (CLOSED)

A public forum for discussing the design of software, from the user interface to the code architecture. Now closed.

The "Design of Software" discussion group has been merged with the main Joel on Software discussion group.

The archives will remain online indefinitely.

Process Security

I have a gig to develop a system that will be your standard web app backed by a database, with a wrinkle: some of the data in the database has to be encrypted because it triggers privacy regulations, and the system has to be hosted by a third party for accessibility reasons.

I've worked out a system where the key that encrypts the data is stored in an encrypted form, unlocked by a user's password--meaning that the key itself is not stored on disk except in an encrypted form.  Once the key is decrypted by a user, the key is then available in the process's memory space, though--while the user's session is active, the key is just sitting their in the JVM's virtual memory.

How much and what kind of a security risk is that, if the person against whom you're protecting the data is the system's administrator?  Can you take a core dump of a JVM while the user's session is active and find the key?  What options exist to protect something that lives only in RAM?
WebDev Send private email
Sunday, August 17, 2008
The solution that springs to mind is to do all the encryption and decryption on the client.

The server admin could still get at the data if they really wanted to, although not transparently - for example by adding some JavaScript to send back the users password (and / or the decrypted data) to the server.

Fixing that loophole isn't easy - you'd need a custom client that isn't a web browser.
Monday, August 18, 2008
If you don't own the server, you don't have security.
Stop trying to work around this.
Monday, August 18, 2008
"If you don't own the server, you don't have security."

This is a dogmatic point that's overbroad.  Yahoo hosted stores for lots of businesses.  Are you saying they had zero security?

Safe manufacturers don't rate their safes as secure or not, they rate them as resistant to attack X for Y hours by someone with Z tools.  All security is relative to the attacks against which you choose to protect yourself, and the risks you're willing to bear.

In the case of this system, the risk of deliberate, skilled attack to steal the data is virtually nil because the data is small and irrelevant outside of a non-commercial specialty field, and has zero commercial value.  Any member of the field can have access to aggregated/anonymized data just by asking, and there's no benefit to having the private data.  The attack I'm worried about is casual access by a privileged user of the third party--some bored sysadmin pawing through the database.
WebDev Send private email
Monday, August 18, 2008
The basic assumption in security theory is the integrity of a security principal. in your case, you do not trust either client or server, and both can be compromised. In your case, you won't have security.

The server can be compromised - an admin can log the traffic, retrieve the encrpted database fields and modify the record. On the client side, an admin can log the virtual memory of your process - how can you get security?

The yahoo case you talked is about security over a non-secure media. You still have to trust yahoo not to view/modify your database, and not to alter communication packets. This might not be true in real scenario.
Tuesday, August 19, 2008
Quote 1: "some of the data in the database has to be encrypted because it triggers privacy regulations,"

Quote 2: "the data is small and irrelevant outside of a non-commercial specialty field, and has zero commercial value."

One is true the other is not.
Tuesday, August 19, 2008
...and if DTrace is available to that privileged user, it's  game-over no matter what you do.
Tuesday, August 19, 2008
You cannot hide anything from the administrator on his own computer.
AqD Send private email
Thursday, August 21, 2008
Sure you can: you encrypt on your system, send the encrypted data to their system, then read it back and decrypt it. They never have the keys, so for all practical purposes they never have access to the data. (Void where the NSA is involved.  ;)

Oh, and I'ld love to see these laws that require encryption yet the only possible attack worth considering is a bored system admin wanting to look at secret data that has no actual value.

If it's like most privacy laws, the fact that it has to be secret doesn't mean it has to be encrypted (though that might be a good idea) and a "bored system admin" would be breaking the laws and thus all the convoluted song and dance isn't likely to be necessary.

But if the laws are weird and specific, you have to tell us the details before we can answer.

Thursday, August 21, 2008

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics
Powered by FogBugz