Internal security of Rev? Hardware for storing passphrases or keys?

John Tregea john at debraneys.com
Tue Jul 18 00:00:59 EDT 2006 

In the context of protecting our clients data (and therefore our 
reputation in the maritime/supply chain security field), that was my 
concern.

Whether, once a rev stack was built into a stand-alone application, was 
it possible to read the rev scripts with another copy of Rev or some 
other utility (like I used to do with ResEdit under Mac OS < X).

If a hacker could read the scripts, they could see how the de-cryption 
of an encrypted value was accomplished in the front end and by 
re-producing that  process, de-crypt and use the key in another client 
application (like pgadmin) to create a non-authorised session to the 
back-end postgreSQL database.

Following <STRONG> advice from list members I am not going to rely on 
encrypted storage of any type of key in the front end.

I am looking at hardware devices capable of storing a unique key.

I spotted iButtons recently (java virtual machines in a chip) and note 
that one type of iButton stores a unique (factory set) 128bit string. I 
could pre-program Rev to read that key from an iButton provided to the 
user (via a serial port iButton reader) and use that for the login to 
the database.

So while I realise the number could be read by someone with serial port 
monitoring software, they could not reproduce another iButton with the 
same key (As I believe there is only one iButton ever made with one key)

Although a user could try to authenticate more than one workstation with 
one iButton the key would be stored in the session info and only become 
re-usable once the first session was ended.

The key would also only work with that client's installation of our 
product because the database accounts would be pre-configured to expect 
the key from the matching iButton/s. So a 10 user system would come with 
10 iButtons and readers from us. (plus 10 U3 smart drives with the user 
software on board). The only problem I see now is... Will the user's PC 
have the available serial port for the iButton reader, or can Rev be 
made to read data from a USB reader (that is also available)?

Actually my dream device would be a USB device with a 256MB U3 drive, a 
GPS chip, a thumb print reader and an iButton reader all built-in. Then 
I could do four factor authentication with one piece of hardware. Dream 
on... :-)

Oh yes, I would then need Rev to read data from a USB port as well...

Regards

John T

Kay C Lan wrote:
> Closer to the topic at hand. Somewhere earlier I noted someone mentioned
> storing 'valuable' data in custom props and then emptying the props on
> closeStack. With my insecure work with mySQL I follow a similar 
> procedure,
> only after all transactions are complete do I clear the fields and custom
> props. If I start the stack and there is data in a field or custom 
> prop then
> it indicates that something 'failed' during the process and so 
> hopefully I
> can retrieve the data and complete the transaction without too much 
> hassle.
> Conversely, if you are working with secure data I imagine a simple 
> Save and
> 'Force Quit' followed by opening the stack in a text editor will 
> reveal all
> the data in custom props - maybe not what you were hoping for.

More information about the use-livecode mailing list