I'd like to create an intranet-site were passwords can be safely stored/retrieved in a Database. However I must provide a mechanism so that administrators cannot grant access to the passwords. Therefore the passwords cannot be stored on the server, or on the client and may not be stored in cookies. Server-side decryption is also not an option, since I want to protect against network-sniffers. All encryption/decryption must be done on the client-side.
I had an idea in mind where the encryption/decryption would be performed in a client-side DLL. The DLL would be loaded from VBScript from within a HTML-page.
The first time a decryption is perfomed, it should popup a form to ask for a password. From then on, the password is kept in memory, as long as the computer stays online. All encryption/decryption functions should then use this same password.
<b>What I already have</b>
My current prototype popups a form, where I can enter a password, and then nicely decrypts the message. But as soon as the VBScript has finished, the secret-password is no longer accessible.
It looks like when VBScript has finished, it always unloads the DLL.
I currently have an ActiveX Library, an Automation Object and a Form.
I tried using different techniques, overriding DllCanUnloadNow, tried to create 'Global Variables' in all the different Units... I changed Instancing and Threading Model... but did not succeed.