I am doing a project on developing a one time password system. In that, I have to encrypt a counter value and secret key together by HMAC SHA 1 algorithm. But the counter value and key need to be stored very safely on the server. Is there anyway by which a value can be stored on a system with no security vulnerability at all? Which is the safest method?
crisabraham 0 Newbie Poster
JamesCherrill 4,733 Most Valuable Poster Team Colleague Featured Poster
There's no such thing as "no security vulnerability at all", so you have to ask "what do I want to protect against?" (eg unauthorised access, denial of service), and "how far do I need to go?" (eg good enough top prevent casual access, secure against the DHS's best efforts).
If you have encrypted the counter and key using SHA1 and a key only you know, you should be safe against realistic threats of unauthorised access. If you need security against denial of service attacks (eg someone deleting your encrypted data) the you probably need to replicate the data across a number of servers with different access requirements.
crisabraham 0 Newbie Poster
but what I was wondering was, where do I store the key after encrypting the counter and key? The key should be accessible each time I use these two. Can you suggest a way of secure storage? This is a completely foreign territory for me. I was just guessing that there would be a distinct and very very secure way of storing a key.
JamesCherrill 4,733 Most Valuable Poster Team Colleague Featured Poster
OK, I see. I think that's a real problem. Either you encrypt it - in which case you need to store that encryption key etc ad infinitum - or you rely on access control methods such as username & password - which has to be stored somewhere...
I guess the usual solution is to store at least part of the initial key/password in a human's head and/or a independent piece of hardware like a smartcard.
Be a part of the DaniWeb community
We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.