PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Sun Jun 07, 2020 4:39 am

All times are UTC - 5 hours




Post new topic Reply to topic  [ 3 posts ] 
Author Message
PostPosted: Sun Oct 23, 2011 1:04 am 
Offline
Forum Newbie

Joined: Sun Oct 23, 2011 12:31 am
Posts: 2
Hi everyone,

Great forum here. I'm new to the forum but old to application dev. I'm moving to a new job where application security is much more critical than what I'm used to, so I'm researching best practices for data encryption and security. I'm working on an app that "mashes up" data from several 3rd party applications (and storing various api keys for our users). These 3rd party api keys will be stored in a mysql db, so I need to encrypt these keys in a way that can be decrypted in order to actually use them.

I just read Mordred's thread on . Awesome info! It's really difficult to find good information on this subject.

I like the idea of using the HASH(const_salt + password + user_salt) technique. My question is this: How do we safely secure the const_salt string? Can someone point me in the right direction?

Obviously we don't want to store it as a variable in the web application layer like in a PHP file. What are the various techniques for solving this problem? Do we store the salt in a file outside of the web app directory? Do we store the salt in memory? Do we store it on a separate server? Do we use an ssl certificate or something similar?

I can't seem to arrive at a solution where the salt is protected from an attacker who has gained access to web server daemon privileges. Any ideas?

Thanks!


Top
 Profile  
 
PostPosted: Sun Oct 23, 2011 5:08 am 
Offline
Forum Regular
User avatar

Joined: Wed Apr 30, 2008 2:34 am
Posts: 794


Top
 Profile  
 
PostPosted: Sun Oct 23, 2011 2:29 pm 
Offline
DevNet Resident
User avatar

Joined: Sun Sep 03, 2006 5:19 am
Posts: 1579
Location: Sofia, Bulgaria


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 3 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 6 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group