I am doing a project on developing a one time password system. In that, I have to encrypt a counter value and secret key together by HMAC SHA 1 algorithm. But the counter value and key need to be stored very safely on the server. Is there anyway by which a value can be stored on a system with no security vulnerability at all? Which is the safest method?

There's no such thing as "no security vulnerability at all", so you have to ask "what do I want to protect against?" (eg unauthorised access, denial of service), and "how far do I need to go?" (eg good enough top prevent casual access, secure against the DHS's best efforts).
If you have encrypted the counter and key using SHA1 and a key only you know, you should be safe against realistic threats of unauthorised access. If you need security against denial of service attacks (eg someone deleting your encrypted data) the you probably need to replicate the data across a number of servers with different access requirements.

but what I was wondering was, where do I store the key after encrypting the counter and key? The key should be accessible each time I use these two. Can you suggest a way of secure storage? This is a completely foreign territory for me. I was just guessing that there would be a distinct and very very secure way of storing a key.

OK, I see. I think that's a real problem. Either you encrypt it - in which case you need to store that encryption key etc ad infinitum - or you rely on access control methods such as username & password - which has to be stored somewhere...
I guess the usual solution is to store at least part of the initial key/password in a human's head and/or a independent piece of hardware like a smartcard.

This article has been dead for over six months. Start a new discussion instead.