Mario, You may be interested in http://jcetaglib.sourceforge.net/ -- a set of JSP tags for basic crypto functions. Could you summarize the other replies you received? I'd like to have a set of best practices in this area. I've been thinking about a scheme where an administrator has to enter a password for a master key when the web server starts up. That key would only reside in memory and would be difficult for an attacker to get to. Then you've got a secret that can be used to encrypt and decrypt other keys and passwords as necessary. Thoughts? Thanks, --Jeff Jeff Williams Aspect Security, Inc. Securing the Last Mile of the Internet www.aspectsecurity.com Jeff.Williamsat_private ----- Original Message ----- From: "Mario Torre" <neugensat_private> To: <secprogat_private> Sent: Thursday, August 22, 2002 5:49 PM Subject: Re: Encryption approach to secure web applications Hi, Thank you for the useful replies, I have found some interesting tutorials in the ibm developer connection. https://www6.software.ibm.com/developerworks/education/j-sec1 and https://www6.software.ibm.com/developerworks/education/j-sec2 Registration is needed. I will post the same message on the Web Application Security list, as suggested by someone. For now, I thing I will use md5 for password checking (I will use the approach described in secure programmin fo linux and unix how-to). I will separate the authentication module, so I can change its implementation at anytime. Thank you again! Mario Torre -- Please avoid sending me Word or PowerPoint attachments. See http://www.fsf.org/philosophy/no-word-attachments.html
This archive was generated by hypermail 2b30 : Fri Aug 23 2002 - 09:57:04 PDT