https://wiki.owasp.org/index.php?action=history&feed=atom&title=Talk%3ATop_10_2007-Insecure_Cryptographic_StorageTalk:Top 10 2007-Insecure Cryptographic Storage - Revision history2026-04-24T07:00:21ZRevision history for this page on the wikiMediaWiki 1.27.2https://wiki.owasp.org/index.php?title=Talk:Top_10_2007-Insecure_Cryptographic_Storage&diff=22014&oldid=prevByteme at 13:00, 29 September 20072007-09-29T13:00:32Z<p></p>
<table class="diff diff-contentalign-left" data-mw="interface">
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr style='vertical-align: top;' lang='en'>
<td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 13:00, 29 September 2007</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l1" >Line 1:</td>
<td colspan="2" class="diff-lineno">Line 1:</td></tr>
<tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>In reference to the suggestion than you should "Generate keys offline and store private keys with extreme care." How would I be able to do this if each of my user's has his own account in my web site's database and they each need to access their account information from time to time. Each Record is encrypted/decrypted with a different key which is dynamically created when the account owner wants to access their account information. Also, even if I went ahead and created the key off-line, I still need to store the key someplace, lets say in a database. The key needs to be accessable whenever a user wants to access their account. I just made the key available to anyone that has the ability to get a copy of my database. Lets say I go ahead and encrypt that key, well I now have the same problem, the key I used to encrypt that key needs to be stored in the database, so I would have to encrypt that key too and it would be a never ending cycle of key encrypting.</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>In reference to the suggestion than you should "Generate keys offline and store private keys with extreme care." How would I be able to do this if each of my user's has his own account in my web site's database and they each need to access their account information from time to time. Each Record is encrypted/decrypted with a different key which is dynamically created when the account owner wants to access their account information. Also, even if I went ahead and created the key off-line, I still need to store the key someplace, lets say in a database. The key needs to be accessable whenever a user wants to access their account. I just made the key available to anyone that has the ability to get a copy of my database<ins class="diffchange diffchange-inline">(I'm referring mainly to hackers, although emoloyees can be a problem too)</ins>. Lets say I go ahead and encrypt that key, well I now have the same problem, the key I used to encrypt that key needs to be stored in the database, so I would have to encrypt that key too and it would be a never ending cycle of key encrypting.</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>Is it an accepted practice to take pieces of data from fields(fields that won't change), that are not encrypted, from the user's account(their record in the DB) and transform that data into the key? The function that does this would have to be stored on the web server, and the file that the function is stored in could be pre-compiled, so if someone did manage to get a copy of that file, it would not be readable.</div></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>Is it an accepted practice to take pieces of data from fields(fields that won't change), that are not encrypted, from the user's account(their record in the DB) and transform that data into the key? The function that does this would have to be stored on the web server, and the file that the function is stored in could be pre-compiled, so if someone did manage to get a copy of that file, it would not be readable.</div></td></tr>
</table>Bytemehttps://wiki.owasp.org/index.php?title=Talk:Top_10_2007-Insecure_Cryptographic_Storage&diff=22013&oldid=prevByteme: How do you generate keys offline, and give people access to their encrypted account information?2007-09-29T12:12:04Z<p>How do you generate keys offline, and give people access to their encrypted account information?</p>
<p><b>New page</b></p><div>In reference to the suggestion than you should "Generate keys offline and store private keys with extreme care." How would I be able to do this if each of my user's has his own account in my web site's database and they each need to access their account information from time to time. Each Record is encrypted/decrypted with a different key which is dynamically created when the account owner wants to access their account information. Also, even if I went ahead and created the key off-line, I still need to store the key someplace, lets say in a database. The key needs to be accessable whenever a user wants to access their account. I just made the key available to anyone that has the ability to get a copy of my database. Lets say I go ahead and encrypt that key, well I now have the same problem, the key I used to encrypt that key needs to be stored in the database, so I would have to encrypt that key too and it would be a never ending cycle of key encrypting.<br />
<br />
Is it an accepted practice to take pieces of data from fields(fields that won't change), that are not encrypted, from the user's account(their record in the DB) and transform that data into the key? The function that does this would have to be stored on the web server, and the file that the function is stored in could be pre-compiled, so if someone did manage to get a copy of that file, it would not be readable.</div>Byteme