Best Practice Encryption Wallet

Similar Messages

• Best Practice: Encrypt() vs hash() for password storing?  Also, salt storing?

  I'm trying to expand my knowledge on security, reading many articles about the different methods to doing so.  I've found the easiest two solutions to use, and that is Encrypt() and hash().  Here's how I'm using them -- I'm looking for which would be better security.
  For both methods, I am using a salt.
  <cfset salt = generateSecretKey('AES')>
  <cfset password = FORM.Password>
  With encrypt, this is all it takes:
  Encrypt(password, salt);
  With hash, i'm doing:
  hash(password & salt, 'SHA-512', 'UTF-8' );
  I can also loop the hash several times to give it more variation:
  hashed = hash( password & salt, arguments.algorithm, 'UTF-8' );
  for (i = 1; i LTE 1024; i=i+1) {
      hashed = hash( hashed & salt, arguments.algorithm, 'UTF-8' );
  So which method is going to be better protection if someone happened to come upon encrypted password information?  Is there a better (free/built-in) method than what I've described?
  Also, since both methods will require the original salt used, what's the best procedure for storing the salt?  In another database?  I've seen some examples store it as a Request variable in application.cfc, but that would allow anyone who has access to the code to see it.

  One consideration here: I would never return the user's previous password to them, I would change it to be a temporary one, make them use that to log in and then get them to reset it to something after that.
  I would never encrypt a pwd, I would always hash it.
  Mileage varies though: this is just another opinion for you to consider.
  Adam

• Best practice for encrypting data in CRM 2013 (other than the fields it already encrypts)

  I know CRM 2013 can encrypt some values by default, but if I want to store data in custom fields then encrypt that, what's the best practice?  I'm working on a project to do this through a javascript action that when triggered from a form would reference
  a web service to decrypt values and a plugin to encrypt on Update/Create, but I hoped there might be a simpler or more suggested way to do this.
  Thanks.

  At what level are you encrypting?  CRM 2013 supports encrypted databases if you're worried about the data at rest.
  In transit, you should be using SSL to encrypt the entire process, not just individual data.
  you can use field-level security to not display certain fields to end users of a certain type if you're worried about that.  It's even more secure than anything you could do with JS, as the data is never passed over the wire.
  Is there something those don't solve?
  The postings on this site are solely my own and do not represent or constitute Hitachi Solutions' positions, views, strategies or opinions.

• Best practice using keyword in subject for encryption

  I have setup an encryption content filter on my appiance to encrypt messages that are outbound, and have a subject header that begin with the keyword Secure inside brackets. [Secure]. My intent was to eliminate some fals positives by including the brackets. What ended up happening was for some reason ALL outbound messages were being encrypted.
  After some more testing it seems like the content filter is ignoring the brackets as a requirement, but I can seem to find anything in the online help to back this up.
  Can someone assist with verification of the requirements around using a keywork in the subject to allow users to encrypt oubound messages voluntarily?
  Best practices around achieving this if anyone has them would also be greatly appreciated.
  Thanks,
  Chris

  Hi Chris,
  While I would have to see the syntax of the filter in question to be 100% sure , it sounds as if your conditional variable is being treated literally. The content filters will except regular expressions so what this means is something like [Secure] could be seen as look for anything that contains
  an S, or a
  e or a
  c or a
  u or a
  r or a
  e
  Since you said begins with we would be looking for anything in the subject that begins with of of these letters. This is due to the fact that the brackets [ ] are special characters in regular expressions, thus they need to be escaped. That being said [Secure] would become \\[Secure\\], we use the \\ to escape the brackets. In content filters however, you can get by with using just one escape as the filter is smart enough to go ahead an enter the additional escape for you. So in the filter it would be something like begins with \[Secure\]
  Once you enter this in the condition for you filter it will display like the following,
  subject == "^\\[Secure\\]"
  I hope that helps.
  Christopher C Smith
  CSE
  Cisco IronPort Customer Support  

• Best practice on sqlite for games?

  Hi Everyone, I'm new to building games/apps, so I apologize if this question is redundant...
  I am developing a couple games for Android/iOS, and was initially using a regular (un-encrypted) sqlite database. I need to populate the database with a lot of info for the games, such as levels, store items, etc. Originally, I was creating the database with SQL Manager (Firefox) and then when I install a game on a device, it would copy that pre-populated database to the device. However, if someone was able to access that app's database, they could feasibly add unlimited coins to their account, unlock every level, etc.
  So I have a few questions:
  First, can someone access that data in an APK/IPA app once downloaded from the app store, or is the method I've been using above secure and good practice?
  Second, is the best solution to go with an encrypted database? I know Adobe Air has the built-in support for that, and I have the perfect article on how to create it (Ten tips for building better Adobe AIR applications | Adobe Developer Connection) but I would like the expert community opinion on this.
  Now, if the answer is to go with encrypted, that's great - but, in doing so, is it possible to still use the copy function at the beginning or do I need to include all of the script to create the database tables and then populate them with everything? That will be quite a bit of script to handle the initial setup, and if the user was to abandon the app halfway through that population, it might mess things up.
  Any thoughts / best practice / recommendations are very appreciated. Thank you!

  I'll just post my own reply to this.
  What I ended up doing, was creating the script that self-creates the database and then populates the tables (as unencrypted... the encryption portion is commented out until store publishing). It's a tremendous amount of code, completely repetitive with the exception of the values I'm entering, but you can't do an insert loop or multi-line insert statement in AIR's SQLite so the best move is to create everything line by line.
  This creates the database, and since it's not encrypted, it can be tested using Firefox's SQLite manager or some other database program. Once you're ready for deployment to the app stores, you simply modify the above set to use encryption instead of the unencrypted method used for testing.
  So far this has worked best for me. If anyone needs some example code, let me know and I can post it.

• ASA 5505 Best Practice Guidance Requested

  I am hoping to tap into the vast wealth of knowledge on this board in order to gain some "best practice" guidance to assist me with the overall setup using the ASA 5505 for a small business client.  I'm fairly new to the ASA 5505 so any help would be most appreciated!
  My current client configuration is as follows:
  a) business internet service (cable) with a fixed IP address
  b) a Netgear N600 Wireless Dual Band router (currently setup as gateway and used for internet/WiFi access)
  c) a Cisco SG-500-28 switch
  d) one server running Windows Small Business Server 2011 Standard (primary Domain Controller)
       (This server is currently the DNS and DHCP server)
  e) one server running Windows Server 2008 R2 (secondary Domain Controller)
  f) approximately eight Windows 7 clients (connected via SG-500-28 switch)
  g) approximately six printers connected via internal network (connected via SG-500-28 switch)
  All the servers, clients, and printers are connected to the SG-500-28 switch.
  The ISP provides the cable modem for the internet service.
  The physical cable for internet is connected to the cable modem.
  From the cable modem, a CAT 6 ethernet cable is connected to the internet (WAN) port of the Netgear N600 router.
  A Cat 6 ethernet cable is connected from Port 1 of the local ethernet (LAN) port on the N600 router to the SG-500-28 switch.
  cable modem -> WAN router port
  LAN router port -> SG-500-28
  The ASA 5505 will be setup with an "LAN" (inside) interface and a "WAN" (outside) interface.  Port e0/0 on the ASA 5505 will be used for the outside interface and the remaining ports will be used for the inside interface.
  So my basic question is, given the information above of our setup, where should the ASA 5505 be "inserted" to maximize its performance?  Also, based on the answer to the previous question, can you provide some insight as to how the ethernet cables should be connected to achieve this?
  Another concern I have is what device will be used as the default gateway.  Currently, the Netgear N600 is set as the default gateway on both Windows servers.  In your recommended best practice solution, does the ASA 5505 become the default gateway or does the router remain the default gateway?
  And my final area of concern is with DHCP.  As I stated earlier, I am running DHCP on Windows Small Business Server 2011 Standard.  Most of the examples I have studied for the ASA 5505 utilize its DHCP functionality.  I also have done some research on the "dhcprelay server" command.  So I'm not quite sure which is the best way to go. First off, does the "dhcprelay server" even work with SBS 2011?  And secondly, if it does work, is the best practice to use the "dhcprelay" command or to let the ASA 5505 perform the DHCP server role?
  All input/guidance/suggestions with these issues would be greatly appreciated!  I want to implement the ASA 5505 firewall solution following "best practices" recommendations in order to maximize its functionality and minimize the time to implement.
  FYI, the information (from the "show version" command) for the ASA 5505 is shown below:
  Cisco Adaptive Security Appliance Software Version 8.4(7)
  Device Manager Version 7.1(5)100
  Compiled on Fri 30-Aug-13 19:48 by builders
  System image file is "disk0:/asa847-k8.bin"
  Config file at boot was "startup-config"
  ciscoasa up 2 days 9 hours
  Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
  Internal ATA Compact Flash, 128MB
  BIOS Flash M50FW016 @ 0xfff00000, 2048KB
  Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                               Boot microcode   : CN1000-MC-BOOT-2.00
                               SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                               IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.06
                               Number of accelerators: 1
  0: Int: Internal-Data0/0    : address is a493.4c99.8c0b, irq 11
  1: Ext: Ethernet0/0         : address is a493.4c99.8c03, irq 255
  2: Ext: Ethernet0/1         : address is a493.4c99.8c04, irq 255
  3: Ext: Ethernet0/2         : address is a493.4c99.8c05, irq 255
  4: Ext: Ethernet0/3         : address is a493.4c99.8c06, irq 255
  5: Ext: Ethernet0/4         : address is a493.4c99.8c07, irq 255
  6: Ext: Ethernet0/5         : address is a493.4c99.8c08, irq 255
  7: Ext: Ethernet0/6         : address is a493.4c99.8c09, irq 255
  8: Ext: Ethernet0/7         : address is a493.4c99.8c0a, irq 255
  9: Int: Internal-Data0/1    : address is 0000.0003.0002, irq 255
  10: Int: Not used            : irq 255
  11: Int: Not used            : irq 255
  Licensed features for this platform:
  Maximum Physical Interfaces       : 8              perpetual
  VLANs                             : 3              DMZ Restricted
  Dual ISPs                         : Disabled       perpetual
  VLAN Trunk Ports                  : 0              perpetual
  Inside Hosts                      : 10             perpetual
  Failover                          : Disabled       perpetual
  VPN-DES                           : Enabled        perpetual
  VPN-3DES-AES                      : Enabled        perpetual
  AnyConnect Premium Peers          : 2              perpetual
  AnyConnect Essentials             : Disabled       perpetual
  Other VPN Peers                   : 10             perpetual
  Total VPN Peers                   : 12             perpetual
  Shared License                    : Disabled       perpetual
  AnyConnect for Mobile             : Disabled       perpetual
  AnyConnect for Cisco VPN Phone    : Disabled       perpetual
  Advanced Endpoint Assessment      : Disabled       perpetual
  UC Phone Proxy Sessions           : 2              perpetual
  Total UC Proxy Sessions           : 2              perpetual
  Botnet Traffic Filter             : Disabled       perpetual
  Intercompany Media Engine         : Disabled       perpetual
  This platform has a Base license.

  Hey Jon,
  Again, many thanks for the info!
  I guess I left that minor detail out concerning the Guest network.  I have a second Netgear router that I am using for Guest netowrk access.  It is plugged in to one of the LAN network ports on the first Netgear router.
  The second Netgear (Guest) router is setup on a different subnet and I am letting the router hand out IP addresses using DHCP.
  Basic setup is the 192.168.1.x is the internal network and 192.168.11.x is the Guest network.  As far as the SBS 2011 server, it knows nothing about the Guest network in terms of the DHCP addresses it hands out.
  Your assumption about the Guest network is correct, I only want to allow guest access to the internet and no access to anything internal.  I like your idea of using the restricted DMZ feature of the ASA for the Guest network.  (I don't know how to do it, but I like it!)  Perhaps you could share more of your knowledge on this?
  One final thing, the (internal) Netgear router setup does provide the option for a separate Guest network, however it all hinges on the router being the DHCP server.  This is what led me to the second (Guest) Netgear router because I wanted the (internal) Netgear router NOT to use DHCP.  Instead I wanted SBS 2011 to be the DHCP server.  That's what led to the idea of a second (Guest) router with DHCP enabled.
  The other factor in all this is SBS 2011.  Not sure what experience you've had with the Small Business Server OS's but they tend to get a little wonky if some of the server roles are disabled.  For instance, this is a small busines with a total of about 20 devices including servers, workstations and printers.  Early on I thought, "nah, I don't need this IPv6 stuff," so I found an article on how to disable it and did so.  The server performance almost immediately took a nose dive.  Rebooting the server went from a 5 minute process to a 20 minute process.  And this was after I followed the steps of an MSDN article on disabling IPv6 on SBS 2011!  Well, long story short, I enabled IPv6 again and the two preceeding issues cleared right up.  So, since SBS 2011 by "default" wants DHCP setup I want to try my best to accomodate it.  So, again, your opinion/experiece related to this is a tremendous help!
  Thanks!

• External System Authentication Credentials Best practice

  We are in the process of an 5.0 upgrade.
  We are using NTLM as our authentication source to get teh users and the groups and authenticate against the source. So currently we only have the NT userid, group info(NT domain password is not stored).
  We need to get user credentials to other systems/applications so that we can pass that on the specfic applications when we search/crawl or integrate with those apps/systems.
  We were thinking of getting the credentials(App userid and password) for other applications by developing a custom Profile Web service to gather the information specific to these users. However, don't know if external application password is secured when retrieving from the external repository via a PWS and storing into the Portal database.
  Is this the best approach to take to gather the above information? If not, please recommend the best practice to follow.
  Alternatively, can have the users enter the external system credentials by having them edit their user profile. However, this approach is not preferred.
  If we can't store the user credential to the external apps, we won't eb able to enhance the user experience when doing a search/or click-thorugh to tthe other applications.
  Any insight would be appreciated.
  Thanks.
  Vanita

  Hi Vanita,
  So your solution sounds fine - however, it might be easier to use an SSO Token or the Plumtree UserID in your external applications as a difinitive authentication token.
  For example if you have some external application that requires a username and password, then if you are in a portlet view of the application the application should be able to take the userid plumtree sends it to authenticate that it is the correct user.  You should limit this sort of password bypass to traffic being gatewayed by the portal (i.e. coming from the portal server only).
  If you want to write a Profile Web Service, the data the gets stored in the Plumtree Database is exactly what the Profile Web Service send it as the value for a particular attribute.  For example if your PWS tells Plumtree that the APP1UserName and APP1Password for user My Domain\Akash is Akash and password then that is what we save.  If your PWS encrypts the password using some 2-way encryption before hand, then that is what we will save.  These properties are simply attached to the user, and can be sent to different portlets.
  Hope this helps,
  -aki-

• Best practice architecture Wireless security

  What is the best practice architecture for wireless to the wire network?
  Use AP to Firewall and it to a router using RADIUS?
  It apply to Control is a safety?
  What models Cisco recomend (Hard and Soft?)
  Is any place in Cisco that I can use to see Architecture recomendations that integrete Wireless, Radio (Microwave) and Voice over IP com-plete system?

  using one of the 802.1x types (i.e. LEAP, EAP-FAST, PEAP) with WPAv2 (AES encryption). Too bad that there are not many wireless adapters support AES.
  All Cisco wireless product support AES in 12.3(2)JA recently.
  Also, you may want to configure WDS for radio management.

• Best practice for Video over IP using ISDN WAN

  I am looking for the best practice to ensure that the WAN has suffient active ISDN channels to support the video conference connection.
  Reliance on load threshold either -
  Takes to long for the ISDN calls to establish causing the problems for video setup
  - or is too fast to place additional ISDN calls when only data is using the line
  What I need is for the ISDN calls to be pre-established just prior to the video call. Have done this in the past with the "ppp multilink links minimum commmand but this manual intervention isn't the preferred option in this case
  thanks

  This method is as secure as the password: an attacker can see
  the hashed value, and you must assume that they know what has been
  hashed, with what algorithm. Therefore, the challenge in attacking
  this system is simply to hash lots of passwords until you get one
  that gives the same value. Rainbow tables may make this easier than
  you assume.
  Why not use SSL to send the login request? That encrypts the
  entire conversation, making snooping pointless.
  You should still MD5 the password so you don't have to store
  it unencrypted on the server, but that's a side issue.

• Best Practice for storing a logon to website in a desktop java app

  Hoping someone well versed in java related security best practices can point me in the right direction.
  I have a small java PC application that uses the Soap API to send various data to a 3rd party.
  Currently I am storing the logon credentials for this 3rd party in a local database used by the application.
  The username / password to connect to this database is encrypted and never accessed in clear text in the code.
  (Although, since the application is stand alone, everything needed to decrypt the database credentials is packaged
  with the application. It would not be easy to get the clear text credentials, but possible)
  The caveat in my case is that the user of the application is not even aware (nor should be) that the application is interacting with
  the 3rd party API at all. All the end user knows is that an entity (that they already have a relationship with) has asked them to
  install this application in order to provide the entity with certain data from the user.
  Is there a more secure way to do this will maintaining the requirement that the user not need know the logon credentials to the 3rd party?

  Moderator advice: Don't double post the same question. I've removed the other thread you started in the Other Security APIs, Tools, and Issues forum.
  db

• Best practice to deploy some secret credentials in AIR app

  Hi,
  Can someone suggest the best practice way to deploy some
  secret credentials in an AIR app please?
  For example, network connection settings or passwords ?
  In my particular case (and since this is only for testing)
  I'd like to deploy a password in an AIR app. So is there any way to
  effectively deploy an encrypted store with the app ? (hope that
  makes sense!)
  Tks,
  Alex

  I think the best practice is not to do it. You can't deploy
  an encrypted local
  store file to another computer. You could encrypt the
  information some other
  way, but that just moves the problem. If you have a server,
  you could have the
  app connect to the server to get the sensitive information
  and put it into the
  ELS (ideally through HTTPS).

• Best Practice in maintaining multiple apps and user logins

  Hi,
  My company is just starting to use APEX, and none of us (the developers) have worked on this before either. It is greatly appreciated if we can get some help here.
  We have developed quite a few applications in the same workspace. Now, we are going to setup UAT and PRD environments and also trying to understand what the best practice is to maintain multiple apps and user logins.
  Many of you have already worked on APEX environment for sometime, can you please provide some input?
  Should we create multiple apps(projects) for one department or should we create one app for one department?
  Currently we have created multiple apps for one department, but, we are not sure if a user can login once and be able to access to all the authenticated apps.
  Thank you,
  LC

  LC,
  I am not sure how much of this applies to your situation - but I will share what I have done.
  I built a single 700+ page application for my department - other areas create separate smaller applications.
  The approach I chose is flexible enough to accomdate both.
  I built a separate access control application(Control) in its own schema.
  We use database authenication fo this app - an oracle account is required.
  We prefer to use LDAP for authentication for the user applications.
  For users that LDAP is not option - an encrypted password is stored - reset via email.
  We use position based security - priviliges are based on job functions.
  We have applications, appilcations have roles , roles have access to components(tabs,buttons,unmasked card numbers,etc.)
  We have positions that are granted application roles - they inherit access to the role components.
  Users have a name, a login, a position, and a site.
  We have users on both the East Coast and the West Coast, we use the site in a sys_context
  and views to emulate VPD. We also use the role components,sys_contexts and views to mask/unmask
  card numbers without rewriting the dependent objects(querys,reports,views,etc.)
  The position based security has worked well, when someone moves,
  we change the position they are assigned to and they immediately have the privileges they need.
  If you are interested I can rpovide more detail.
  Bill

• Best Practice for certificate management for security

  We have been working on moving toward future implementation of document encryption and electronic signatures using Adobe Acrobat 9 Standard.  I have read 21 CFR 11, and accompanying guidances.  Are there any best practice recommendations for how to meet these standards using this technology? 
  There are some requirements that I am unsure of how to best implement.
  How should we document that we have verified the identity of the individual?
  How should we periodically force revision of passwords, or document that this is done since no one knows each other’s passwords?
  How should we manage certifications so that we can show we deactivate obsolete ones?
  How do we monitor to detect attempts at unauthorized access/use of electronic signatures?
  If our organization wants to become our own certification authority, what documentation do we need or process should we use to validate our certificates?

  Hi Shadya10,
  Those are some pretty big questions! I'm not saying that your company can't become a CA because obviously there are companies that have, but this is almost something that happens at the state level if your not already intimate with PKI. Just from the tenor of your questions I'd suggest you contract with a reputable, existing CA to provide your PKI infrastructure. I could explain key management and how revocation checking works, but really if you're asking in an Adobe forum this is way more than you want to be dealing with.
  If you're really interested you need to start with reading RFC 5280.
  Steve

• Any known security best practices to follow for FMS deployment

  Hi all,
  We have recently deployed Flash Media Streaming server 3.5.2 and Flash Media Encoder on a Windows 2003 machine. Do you guys know of any security best practices to follow for the FMS server deployment on a Windows machine, could you please point me to that resource.

  Hi
  I will add some concepts, I am not sure how all of them work technically but there should be enough here for you to
  dig deeper, and also alot of this is relevant to your environment and how you want to deploy it.
  I have done a 28 server deployment, 4 origin and 24 edge servers.
  All the Edge servers on the TCP/IP properties we disabled file and printer sharing. Basically this is a way in for hackers and we disabled this only on the edge servers as these are the ones presented to the public.
  We also only allowed ports 1935, 80, 443 on our NICs. Protocol numbers are 6 and 17, this means that you are allowing UDP and TCP. So definitely test out your TCP/IP port filtering until you are confortable that all your connection types are working and secure.
  Use RTMPE over RTMP, as it is there to be used and I am surprised not more people use it. The problem as with any other encryption protocol, it may cause higher overhead on resources of the servers holding the connections.
  You may want to look at SWF verification. In my understanding, it works as the following. You publish a SWF file on a website. This is a source code that your player uses for authentication. If you enable your edge servers to only listen for authentication requests from that SWF file, then hopefully you are really lessening the highjacking possibilities on your streams.
  If you are doing encoding via FME then I would suggest that you download the authentication plugin that is available on the Flash Media Encoder download site.
  There are other things you can look at making it more secure like adaptor.xml, using a front end load balancer, HTML domains, SWF domains,
  Firewalls and DRM.
  I hope this helps you out.
  Roberto

• Best practice DNS in VPN environment for Lync2013 clients

  So I do have those site2site VPNs to connect the small branch offices to the main office. Internal DNS makes sure, that the branch offices can acess all the servers/services in the main office with their domain.local namespace.
  In such a scenario will the Lync2013 clients connect through the VPN to the internal sites due to both lyncdiscover and lyncdiscoverinternal being available?
  Wouldn't it cause way less burden on the VPN routers if clients would simply go out to the internet and connect from the external side so all the Lync traffic does not have to be stuffed through the VPN pipe? I dont see the point to encrypt the traffice
  once more.
  Thanks for your suggestions about best practices!
  HST

    Hi,
  When users connect to the corporate network using a VPN client, Lync media traffic is sent through the VPN tunnel. This configuration can create additional latency and jitter because media traffic must pass through an additional layer of encryption and
  decryption. The issue is compounded when the VPN concentrator is busy.
  If you want to connect Lync server from public network you need to deploy an Edge server.
  The solution to force VPN traffic through the Edge Servers must allow external Lync clients connected through VPN, you can refer to the part of "Solution Configuration" in the link below:
   http://blogs.technet.com/b/nexthop/archive/2011/11/15/enabling-lync-media-to-bypass-a-vpn-tunnel.aspx
  Best Regards,
  Eason Huang
  Eason Huang
  TechNet Community Support