[Haskell-cafe] secure store for passwords on CLIENT side

Magnus Therning magnus at therning.org
Sun Jun 21 17:04:36 EDT 2009 

Iliya Kuznetsov wrote:
> Hello, haskellers,
> 
> I've faced with some issue: how to store passwords securely on client's 
> side? Of course there are many technics how to hash them on server side 
> but sure all of them can't be used in my case (because of nature of hash).
> There is some platform-independent application written on Haskell and it 
> requires login name/password for asking some web services through SOAP. 
> I can ask it every time when it's called, but probably I should prepare 
> some way to store this secure info on somewhere. The other side (in most 
> cases!) can use only plain authorization method.
> 
> For me the best way for this task -- storing the puzzled password 
> somewhere in user's home directory ($HOME or %APPDATA% or in Mac's place 
> for that), but I don't know how to puzzle it securely.
> One idea is to use GPG-alike approach: make secret key automatically and 
> store it in user's home and just encrypt the given passphrase with that 
> secret key after logging on and decrypt with public key when needed. But 
> this probably is overmuch for that task.

I'm not really sure I understand what you want to do, but it basically comes
down to two things:

  1. if you have something that needs to be kept secret from the user of the
     client, and you are thinking of keeping that secret _on_ the client, then
     _STOP_, there's simply no good way of doing that

  2. if you want to store a secret that is already known to the user of the
     client, then you are best off storing it using a built-in systems for
     that, on Windows you have DPAPI (that might be old info, you should look
     at MSDN to find what you use nowadays), on Mac there's a secret store
     (I've forgotten what it's called now), in Gnome you have the keyring, in
     KDE you have kwallet

For the latter you are likely to have to write your own FFI layer for using
any of that from Haskell.  I'm sure a nice Haskell x-platform abstraction
would be greatly appreciated by the community ;-)

Hope it helps.

/M

-- 
Magnus Therning                        (OpenPGP: 0xAB4DFBA4)
magnus@therning.org          Jabber: magnus@therning.org
http://therning.org/magnus         identi.ca|twitter: magthe

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: OpenPGP digital signature
Url : http://www.haskell.org/pipermail/haskell-cafe/attachments/20090621/e98117b2/signature.bin

More information about the Haskell-Cafe mailing list