« Common Attack Pattern Enumeration and Classification (CAPEC) | Main | It a Vulnerability Mashup: Web 2.0 Security in a Nutshell »

Comments

Iang

As you say ... when doing encryption with any tool that already structures the data such as XML or an RDBMS, we immediately run into a clash. Encrypt it all or parts? Which parts? Is it a major upgrade to add another part? Who has to share what key for what search / query?

The above commentary is ok as far as it goes, but it goes practically no-where without a grounding in the application. The application generates requirements, and those requirements tend to create havoc if one is relying on some built-in crypto, especially at the structured data level.

An encryption layer is generally best done as either a completely separate lower layer with no relationship to upper layer -- in which case it is "throwaway" because you can never tell if it is turned on -- or has to be done integrally with the app.

Both of these approaches mitigate against XML-style encryption, to the extent that XML encryption can be put in place .. of course .. but it is hard to place reliance on the result.

The comments to this entry are closed.