Where to store Salt constant (linux/MAMP setup)?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
jaustin
Forum Newbie
Posts: 2
Joined: Sun Oct 23, 2011 12:31 am

Where to store Salt constant (linux/MAMP setup)?

Post by jaustin »

Hi everyone,

Great forum here. I'm new to the forum but old to application dev. I'm moving to a new job where application security is much more critical than what I'm used to, so I'm researching best practices for data encryption and security. I'm working on an app that "mashes up" data from several 3rd party applications (and storing various api keys for our users). These 3rd party api keys will be stored in a mysql db, so I need to encrypt these keys in a way that can be decrypted in order to actually use them.

I just read Mordred's thread on Password hashing howto (and how not to). Awesome info! It's really difficult to find good information on this subject.

I like the idea of using the HASH(const_salt + password + user_salt) technique. My question is this: How do we safely secure the const_salt string? Can someone point me in the right direction?

Obviously we don't want to store it as a variable in the web application layer like in a PHP file. What are the various techniques for solving this problem? Do we store the salt in a file outside of the web app directory? Do we store the salt in memory? Do we store it on a separate server? Do we use an ssl certificate or something similar?

I can't seem to arrive at a solution where the salt is protected from an attacker who has gained access to web server daemon privileges. Any ideas?

Thanks!
User avatar
Apollo
Forum Regular
Posts: 794
Joined: Wed Apr 30, 2008 2:34 am

Re: Where to store Salt constant (linux/MAMP setup)?

Post by Apollo »

jaustin wrote:My question is this: How do we safely secure the const_salt string? Can someone point me in the right direction?

Obviously we don't want to store it as a variable in the web application layer like in a PHP file.
Why not?
What are the various techniques for solving this problem? Do we store the salt in a file outside of the web app directory? Do we store the salt in memory? Do we store it on a separate server? Do we use an ssl certificate or something similar?
Just put it in some include file (along with your SQL username and password, for example) and include that file wherever you need it. You do not want this data to exist on multiple places. Not just for security but mostly for maintainability reasons.

And yes, I would typically store it outside the web app directory (or outside the entire document root, for that matter). This file is supposed to be included by other php files only, not to be ever accessed directly by a visitor.

Remember, even if someone would be able to read your salt string, it's no problem. Consider it just as part of your hashing algorithm. They can know the hashing method you use (any decent hashing method is open source anyway). See, if I were to tell you that I store my passwords as sha512(password+"nR4E7/39d!5qgk#uZ31z-Nh^ryD1"+userID) would that help you hacking my site in any way?

The salt is just to avoid rainbow table attacks, duplicate password detectability, and reduce brute force attempts to single passwords at a time.
I can't seem to arrive at a solution where the salt is protected from an attacker who has gained access to web server daemon privileges. Any ideas?
You mean when they hacked into your server? In that case you're pretty much screwed. They'll be able to access your php files. And since the php files can access your database and verify passwords, so can they.

However, still no panic. As long as you use a good hashing method (like whirlpool or sha512, do NOT use md5) they still won't be able to restore any actual passwords. But obviously they *will* get access to whatever data you tried to protect with those passwords (like customer info or admin details or whatnot).
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Where to store Salt constant (linux/MAMP setup)?

Post by Mordred »

jaustin wrote:These 3rd party api keys will be stored in a mysql db, so I need to encrypt these keys in a way that can be decrypted in order to actually use them.
In that case nothing you read in that article applies to you, since it's about one-way hashing not two-way encryption.

You either keep the keys in the source, or for a slightly better option, hardcode a master key in the source, keep the other keys encrypted in a database. Be careful when chosing an encryption scheme to use, the documentation should provide hints on what to use and what not to use.

For an even better option try mod_env to store the keys (or the master key if you prefer the flexibility of having keys in a database)
Post Reply