In the context of protecting our clients data (and therefore our
reputation in the maritime/supply chain security field), that was my
concern.
Whether, once a rev stack was built into a stand-alone application, was
it possible to read the rev scripts with another copy of Rev or some
other utility (like I used to do with ResEdit under Mac OS < X).
If a hacker could read the scripts, they could see how the de-cryption
of an encrypted value was accomplished in the front end and by
re-producing that process, de-crypt and use the key in another client
application (like pgadmin) to create a non-authorised session to the
back-end postgreSQL database.
Following <STRONG> advice from list members I am not going to rely on
encrypted storage of any type of key in the front end.
I am looking at hardware devices capable of storing a unique key.
I spotted iButtons recently (java virtual machines in a chip) and note
that one type of iButton stores a unique (factory set) 128bit string. I
could pre-program Rev to read that key from an iButton provided to the
user (via a serial port iButton reader) and use that for the login to
the database.
So while I realise the number could be read by someone with serial port
monitoring software, they could not reproduce another iButton with the
same key (As I believe there is only one iButton ever made with one key)
Although a user could try to authenticate more than one workstation with
one iButton the key would be stored in the session info and only become
re-usable once the first session was ended.
The key would also only work with that client's installation of our
product because the database accounts would be pre-configured to expect
the key from the matching iButton/s. So a 10 user system would come with
10 iButtons and readers from us. (plus 10 U3 smart drives with the user
software on board). The only problem I see now is... Will the user's PC
have the available serial port for the iButton reader, or can Rev be
made to read data from a USB reader (that is also available)?
Actually my dream device would be a USB device with a 256MB U3 drive, a
GPS chip, a thumb print reader and an iButton reader all built-in. Then
I could do four factor authentication with one piece of hardware. Dream
on... :-)
Oh yes, I would then need Rev to read data from a USB port as well...
Regards
John T
Kay C Lan wrote:
Closer to the topic at hand. Somewhere earlier I noted someone mentioned
storing 'valuable' data in custom props and then emptying the props on
closeStack. With my insecure work with mySQL I follow a similar
procedure,
only after all transactions are complete do I clear the fields and custom
props. If I start the stack and there is data in a field or custom
prop then
it indicates that something 'failed' during the process and so
hopefully I
can retrieve the data and complete the transaction without too much
hassle.
Conversely, if you are working with secure data I imagine a simple
Save and
'Force Quit' followed by opening the stack in a text editor will
reveal all
the data in custom props - maybe not what you were hoping for.
_______________________________________________
use-revolution mailing list
use-revolution@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription
preferences:
http://lists.runrev.com/mailman/listinfo/use-revolution
