Hmm,
maybe I should bring in some more details...
It's an NT4 share, and more then 1 user should be able to see it (3).
And err.. I do realize, but I just started working here, so blame them :)
Joost
-----Original Message-----
From: Jean-François Asselin [mailto:[EMAIL PROTECTED]]
Sent: woensdag 19 september 2001 15:21
To: Joost De Cock; [EMAIL PROTECTED]
Subject: RE: Decryption on the fly
Do you realize how insecure this is? If I came in right after one of the
admins had looked at the database, I could simply use off-the-shelf
undelete softare and get full access?
That said, one solution might be to use Windows 2000's built-in EFS
encryption. I haven't managed to bypass it yet myself, nor have I heard
about anyone who has. It's on-the-fly, transparent, and secure.
> -----Original Message-----
> From: Joost De Cock [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, September 18, 2001 4:25 AM
> To: [EMAIL PROTECTED]
> Subject: Decryption on the fly
>
>
>
> Hello all,
>
>
> in my company, we have a database that contains all passwords
> to servers, apps,... you name it. It sits on a network drive
> with very limited NTFS permissions, and it's encrypted (PHP).
>
> They way we do it now is this:
>
> We decrypt the database (it's only to be decrypted by the
> secadmins (3) private keys) we read it, and then we remove
> the decrypted copy.
> Needles to say that even secadmins forget to remove the
> decrypted copy every now and then.
>
> Is there a way to decrypt it on the fly, so that no copy is
> stored on the disk (I guess only in RAM) that provides the
> same possibility to limit access to certain private keys.
> Would that maybe involve writing an interface to do the job
> (eg a php page that can run a query on the database) or is
> there an off-the-shelf solution to this.
>
> I'd be pleased to hear your ideas about this.
>
> Kind regards,
>
> Joost De Cock
> ASTRID NV
> Security Administrator
>
>
> **********************************************************************
> The information in this mail is confidential and is intended
> solely for the addressee(s). Access to this email by anyone
> else is unauthorised. If you are not an intended recipient,
> you must not read, use or disseminate the
> information contained in the email.
> **********************************************************************
>
**********************************************************************
The information in this mail is confidential and is intended solely
for the addressee(s).
Access to this email by anyone else is unauthorised. If you are not
an intended recipient, you must not read, use or disseminate the
information contained in the email.
**********************************************************************
