Re: [SC-L] Best practices for encrypting client-side data

2007-05-10 Thread Robin Sheat
On Wednesday 09 May 2007 03:00:12 SC-L Subscriber Dave Aronson wrote: What happens when the user changes his password?  I didn't quite follow it all, but it looks to me like that means that all of a user's data has to be decrypted and re-encrypted.  You didn't tell us how much data that is, so

Re: [SC-L] Best practices for encrypting client-side data

2007-05-10 Thread Robin Sheat
On Wednesday 09 May 2007 05:04:53 you wrote: You go on to describe (I think) crypto operations that take place completely on the client site. What is the relationship between the encrypted data and server client-server communications? For the purposes of this, there isn't. It was just to

Re: [SC-L] Best practices for encrypting client-side data

2007-05-10 Thread Robin Sheat
On Wednesday 09 May 2007 02:11:05 ljknews wrote: I would suggest two factor authentication, requiring some smart card (with built-in keypad, to prevent intercept of the pin) that actually provides the decryption.  Make the user keep the smart card with them, such as by requiring it for

Re: [SC-L] Best practices for encrypting client-side data

2007-05-10 Thread ljknews
At 12:01 PM +1200 5/10/07, Robin Sheat wrote: Content-Type: multipart/signed; boundary=nextPart1622971.NJ1973Q3ia; protocol=application/pgp-signature; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit On Wednesday 09 May 2007 02:11:05 ljknews wrote: I would suggest two factor

Re: [SC-L] Best practices for encrypting client-side data

2007-05-09 Thread Blue Boar
Robin Sheat wrote: Basically, I needed to encrypt the on-disk format of some data that is accessed as a seekable file (it's actually a Lucene index, but the details aren't too relevant). The use case for this is to ensure the data is kept private, even if the disk or computer the data is on

Re: [SC-L] Best practices for encrypting client-side data

2007-05-09 Thread SC-L Subscriber Dave Aronson
Robin Sheat [mailto:[EMAIL PROTECTED] wonders: What I did was take the user's password to create a key What happens when the user changes his password? I didn't quite follow it all, but it looks to me like that means that all of a user's data has to be decrypted and re-encrypted. You

[SC-L] Best practices for encrypting client-side data

2007-05-08 Thread Robin Sheat
I'm no security professional, just a programmer with a healthy interest in it, most of what I've gleaned has come from lists such as this, and the various securityfocus ones. A little while ago I was asked to implement something that I didn't have much of a low-level idea of, so I hope here is