I would strongly recommend reading Bruce Schneier's Practical Cryptography - it is absolutely invaluable for building this type of system. Then, I'd suggest reading Hacker News and searching for posts by tptacek <a href="http://news.ycombinator.com/user?id=tptacek">http://news.ycombinator.com/user?id=tptacek</a> - his warnings regarding building your own encryption system - even by just cobbling together secure algorithms - should not be taken lightly. His most famous post on the subject is "If you're typing the letters A-E-S into your code you're doing it wrong" is worth reading.<div>
<br></div><div><a href="http://chargen.matasano.com/chargen/2009/7/22/if-youre-typing-the-letters-a-e-s-into-your-code-youre-doing.html">http://chargen.matasano.com/chargen/2009/7/22/if-youre-typing-the-letters-a-e-s-into-your-code-youre-doing.html</a><br>
<div><br></div><div>Best,</div><div><br clear="all">Chad DePue<br>skype: cdepue<br><div><a href="http://inakanetworks.com" target="_blank">inakanetworks.com</a> </div><div> </div><br><div class="gmail_quote">On Sat, Apr 30, 2011 at 10:12 PM, Chris Hicks <span dir="ltr"><<a href="mailto:silent_vendetta@hotmail.com">silent_vendetta@hotmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div>
That certainly makes sense, and is a lot simpler than anything I was coming up with in my head. Thank you.<br><br>> Subject: Re: [erlang-questions] Encrypting/Decrypting data<br>> From: <a href="mailto:john@jkemp.net" target="_blank">john@jkemp.net</a><br>
> Date: Sat, 30 Apr 2011 20:31:47 -0400<br>> CC: <a href="mailto:erlang-questions@erlang.org" target="_blank">erlang-questions@erlang.org</a><br>> To: <a href="mailto:silent_vendetta@hotmail.com" target="_blank">silent_vendetta@hotmail.com</a><div class="im">
<br>> <br>> Chris,<br>> <br>> On Apr 30, 2011, at 6:25 PM, Chris Hicks wrote:<br>> <br>> > This is a bit more of a general question than Erlang specific but I hope someone here can answer this, or simply point me to a place where it has already been answered.<br>
> > <br>> > I'm writing a server in which I will be storing encrypted user data (unlike Sony). My problem is probably a product of zero experience with encryption combined with a lack of sleep, but I can't figure out how to do this securely. By that I mean I understand how to use crypto to encrypt/decrypt a piece of data but the Key and the Ivec have to be the same for both the encryption and decryption otherwise it doesn't work...so how do I make this happen without storing those two things "out in the open?" It seems like that can't be the optimal solution since anyone who could just grab those and decrypt the data. Am I missing something completely obvious?<br>
> <br>> You have it correct. The solution to your problem is to do what things like 'ssh' or Apache 'httpd' do, and use a key stored in a file with user-restricted permissions, which requires a passphrase to read. As your server starts, it will ask the user who starts it for the passphrase and then read the key. <br>
> <br>> Regards,<br>> <br>> - John Kemp<br>> <br>> > <br>> > Chris Hicks.<br>> > <br>> > <br>> > _______________________________________________<br>> > erlang-questions mailing list<br>
> > <a href="mailto:erlang-questions@erlang.org" target="_blank">erlang-questions@erlang.org</a><br>> > <a href="http://erlang.org/mailman/listinfo/erlang-questions" target="_blank">http://erlang.org/mailman/listinfo/erlang-questions</a><br>
> <br> </div></div>
<br>_______________________________________________<br>
erlang-questions mailing list<br>
<a href="mailto:erlang-questions@erlang.org">erlang-questions@erlang.org</a><br>
<a href="http://erlang.org/mailman/listinfo/erlang-questions" target="_blank">http://erlang.org/mailman/listinfo/erlang-questions</a><br>
<br></blockquote></div><br></div></div>