On Tue, Jun 7, 2011 at 3:21 PM, Eric S. Eberhard <fl...@vicsmba.com> wrote: > I would point out in that last approach -- encrypting and sending un secure > (which is a good idea in many cases) does have a few considerations. If the > data is sensitive (like magnetic strip data from a credit card) this is > completely NOT ALLOWED. PCI and PA-DSS won't allow it to hit the disk. If > you do hit the disk and you care about security on either end, you also need > a secure delete program. Simply deleting a file does not remove the data > from the disk. It takes about 5 lines of C to make a secure delete which if > anyone likes I can give them. Are you sure that its 5 lines? iPhone/iPad/iTouch puts my stomach in a knot due to lack of true background processing. Reliably Erasing Data >From Flash-Based Solid State Drives, www.usenix.org/events/fast11/tech/full_papers/Wei.pdf.
Jeff > > At 08:44 PM 6/6/2011, Dave Thompson wrote: >> >> > From: owner-openssl-us...@openssl.org On Behalf Of greenelephant >> > Sent: Sunday, 05 June, 2011 05:20 >> >> > Thanks for the reply Dave. I am grateful for your advice. I >> > am a novice as you have probably gathered. >> > If I am not wrong in my judgement you seem to have some expertise on >> > cryptology. >> >> Some, not a whole lot. >> >> > I have stated SSL in my first post that I would like help >> > with as you know. >> > But with your expertise is there a better solution to use >> > except SSL in >> > terms of security using openssl? >> >> SSL/TLS (preferably the newest version supported, today >> usually TLS 1.1 or maybe 1.2) is a good general solution >> for security of Internet endpoint communication >> (particularly, but not only, web traffic using HTTPS). >> OpenSSL is a good implementation of SSL/TLS, plus some >> related (crypto) functionality, but not the only one; >> any other conforming and well-tested implementation >> available to you should be fine. For examples, Java >> includes its own SSL/TLS implementation (for Java), >> and I understand dot-NET does (for C#, VB, etc.) >> >> There are other protocols that may be better in specific >> situations (e.g. SSH as below) or necessary (e.g. IPsec >> and DNSsec are done at a level below where SSL can work). >> >> > Also is SSL an ideal security solution for secured FTP >> > transmissions using >> > the openssl module to enable me to subvert any efforts to >> > sabotage or breach >> > security perpetrated by intruders or hackers using the >> > methods of attacks >> > (side channeling for instance) previously mentioned? >> >> FTP over SSL (FTPS) is a secure means of file transfer, >> if supported by both your server(s) and your client(s), >> which in my experience is not very common. When it is >> supported, the server and client code determines what >> module is used; it might be OpenSSL or something else. >> >> Another good and in my experience more common method >> of securing file transfer is SFTP, part of the SSH >> protocol suite. The crypto used in SSH is generally >> similar (though not identical) to SSL/TLS, and in fact >> the most widespread implementation OpenSSH uses libcrypto >> from OpenSSL, but the trust model is different (simpler). >> Instead of creating and verifying certificates, SSH >> requires you to manually verify a key fingerprint on >> the first connection between a given client and server >> (or else manually pre-transfer the encoded publickey). >> This isn't very good for communications with strangers >> (like sites you found on Google), but works okay for >> people that already have some contact (like your friends, >> customers of your company, etc). >> >> Another approach is to secure the files themselves, >> rather than just the transfer. That is, encrypt and >> perhaps sign the files when (or before) they are >> placed on the sending system(s), transfer them >> using plain FTP or HTTP or other, and decrypt and >> perhaps verify them on the receiving system(s). >> >> [SNIP] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
