Abstract
One of the major points of interest in software engineering nowadays is how to ensure applic- ations configuration files’ security. In fact, they very often contain confidential information as database connection credentials, thereby providing a vulnerability point to these applications, for those files having their information clearly written. Some studies upon 2200 applications revealed that 96% of them where vulnerable, and that 80% of those vulnerable applications contained vulnerabilities exposed by incorrect configuration information management. Encryp- tion is then used to secure these delicate files. The difficulty then resides in the usage and backup of the encryption key so as to guarantee data security. To do this, current approaches are either to hide the encryption key in the application source code or somewhere on disk, it’s safety then being compromised; or to protect the key by bounding it to a specific user account, the application can then operate only within this account, obligating that user to be physically present for the key to be available, which is an unacceptable constraint for large systems. In this paper, we propose an encryption key management model solving limitations mentioned above. The key lies only in main memory, which is great for its protection; it is subjected on a secure and flexible way (directly, through https or SMS) to the files security module when starting.
Details
| Primary Language | English |
|---|---|
| Journal Section | Articles |
| Authors | |
| Publication Date | March 31, 2015 |
| Submission Date | January 30, 2016 |
| Published in Issue | Year 2015 Volume: 4 Issue: 1 |