Where to store Salt constant (linux/MAMP setup)?
Posted: Sun Oct 23, 2011 1:04 am
Hi everyone,
Great forum here. I'm new to the forum but old to application dev. I'm moving to a new job where application security is much more critical than what I'm used to, so I'm researching best practices for data encryption and security. I'm working on an app that "mashes up" data from several 3rd party applications (and storing various api keys for our users). These 3rd party api keys will be stored in a mysql db, so I need to encrypt these keys in a way that can be decrypted in order to actually use them.
I just read Mordred's thread on Password hashing howto (and how not to). Awesome info! It's really difficult to find good information on this subject.
I like the idea of using the HASH(const_salt + password + user_salt) technique. My question is this: How do we safely secure the const_salt string? Can someone point me in the right direction?
Obviously we don't want to store it as a variable in the web application layer like in a PHP file. What are the various techniques for solving this problem? Do we store the salt in a file outside of the web app directory? Do we store the salt in memory? Do we store it on a separate server? Do we use an ssl certificate or something similar?
I can't seem to arrive at a solution where the salt is protected from an attacker who has gained access to web server daemon privileges. Any ideas?
Thanks!
Great forum here. I'm new to the forum but old to application dev. I'm moving to a new job where application security is much more critical than what I'm used to, so I'm researching best practices for data encryption and security. I'm working on an app that "mashes up" data from several 3rd party applications (and storing various api keys for our users). These 3rd party api keys will be stored in a mysql db, so I need to encrypt these keys in a way that can be decrypted in order to actually use them.
I just read Mordred's thread on Password hashing howto (and how not to). Awesome info! It's really difficult to find good information on this subject.
I like the idea of using the HASH(const_salt + password + user_salt) technique. My question is this: How do we safely secure the const_salt string? Can someone point me in the right direction?
Obviously we don't want to store it as a variable in the web application layer like in a PHP file. What are the various techniques for solving this problem? Do we store the salt in a file outside of the web app directory? Do we store the salt in memory? Do we store it on a separate server? Do we use an ssl certificate or something similar?
I can't seem to arrive at a solution where the salt is protected from an attacker who has gained access to web server daemon privileges. Any ideas?
Thanks!