The Chief Technology Officer (CTO) wants to improve security surrounding storage of customer passwords.
The company currently stores passwords as SHA hashes. Which of the following can the CTO implement
requiring the LEAST change to existing systems?
Smart cards usually come in two forms. The most common takes the form of a rectangular piece of plastic with
an embedded microchip. The second is as a USB token. It contains a built in processor and has the ability to
securely store and process information. A “contact” smart card communicates with a PC using a smart card
reader whereas a “contactless” card sends encrypted information via radio waves to the PC.
Typical scenarios in which smart cards are used, include interactive logon, e-mail signing, e-mail decryption
and remote access authentication. However, smart cards are programmable and can contain programs and
data for many different applications. For example, smart cards may be used to store medical histories for use in
emergencies, to make electronic cash payments or to verify the identity of a customer to an e-retailer.
Microsoft provides two device independent APIs to insulate application developers from differences between
current and future implementations: CryptoAPI and Microsoft Win32® SCard APIs.
The Cryptography API contains functions that allow applications to encrypt or digitally sign data in a flexible
manner, while providing protection for the user’s sensitive private key data. All cryptographic operations are
performed by independent modules known as cryptographic service providers (CSPs).
There are many different cryptographic algorithms and even when implementing the same algorithm there are
many choices to make about key sizes and padding for example. For this reason, CSPs are grouped into types,
in which each supported CryptoAPI function, by default, performs in a way particular to that type. For example,
CSPs in the PROV_DSS provider type support DSS Signatures and MD5 and SHA hashing.