Iliya Kuznetsov wrote:
Hello, haskellers,
I've faced with some issue: how to store passwords securely on client's side? Of course there are many technics how to hash them on server side but sure all of them can't be used in my case (because of nature of hash). There is some platform-independent application written on Haskell and it requires login name/password for asking some web services through SOAP. I can ask it every time when it's called, but probably I should prepare some way to store this secure info on somewhere. The other side (in most cases!) can use only plain authorization method.
For me the best way for this task -- storing the puzzled password somewhere in user's home directory ($HOME or %APPDATA% or in Mac's place for that), but I don't know how to puzzle it securely. One idea is to use GPG-alike approach: make secret key automatically and store it in user's home and just encrypt the given passphrase with that secret key after logging on and decrypt with public key when needed. But this probably is overmuch for that task.
I'm not really sure I understand what you want to do, but it basically comes down to two things: 1. if you have something that needs to be kept secret from the user of the client, and you are thinking of keeping that secret _on_ the client, then _STOP_, there's simply no good way of doing that 2. if you want to store a secret that is already known to the user of the client, then you are best off storing it using a built-in systems for that, on Windows you have DPAPI (that might be old info, you should look at MSDN to find what you use nowadays), on Mac there's a secret store (I've forgotten what it's called now), in Gnome you have the keyring, in KDE you have kwallet For the latter you are likely to have to write your own FFI layer for using any of that from Haskell. I'm sure a nice Haskell x-platform abstraction would be greatly appreciated by the community ;-) Hope it helps. /M -- Magnus Therning (OpenPGP: 0xAB4DFBA4) magnus@therning.org Jabber: magnus@therning.org http://therning.org/magnus identi.ca|twitter: magthe