Tuesday, January 15

Crypto research: Managing asymmetric keys on remote webhost

I'm currently trying to discover best practices for crypto key management on a third party web server, if container import isn't available. My current thinking is XML files in a secure directory on the web server, accessible to the website app, but not to the general web, but I'd certainly like to hear if there's a better option.

2 comments :

Michael O'Shaugnessy said...

Why asymmetric?

Andrew Badera said...

Because I'm going to be using it for encryption of data contained in service calls. HTTPS, while effective, may cut server performance as much as 90%, so I'd like to encrypt only the portions of the message that are data.

However, I may want to set up symmetric too, having thought about it, for passwords in the DB, which are currently hashed. Unfortunately hashed passwords don't play well with WSSE authentication, which I'm planning to employ on the service side as well.