[WEB SECURITY] Salt Storage - web.config or database?

Marc-André Laverdière ma_laver at ciise.concordia.ca
Thu Jun 1 13:04:35 EDT 2006


What algorithm are you gonna use?

My experience with salted SHA-1 (SSHA) is that the salt is integrated in 
the hash, so that you don't need to store it separately.

Here is some code that show what I'm talking about:
http://www.securitydocs.com/library/3439
http://swforum.sun.com/jive/thread.jspa?threadID=51818&tstart=120

As a sidenote, it'd be preferable to go for salted variant of SHA-256, 
since cryptologists have been working very hard on breaking SHA-1 and 
made some progress a few months ago.

Here is some practical advice:
http://www.securitytechnique.com/1/8-3?PHPSESSID=ec940e39f1b2abbe563e090613937609

P.S. Make sure that you use a cryptographically strong random number 
generator. .NET should normally be having one of those

Peluso, Cynthia M. wrote:
>  
> Where is the best place to store salts?  I have developers that will be
> using the Microsoft random number generator (ASP.NET ) to generate a
> salt to append to the password and then hash.  They want to store the
> salt in the web.config file and the password hashes in the database.
> What is  best practice for salt storage?  The concern is that storing
> the salts in the database will increase traffic volume. I'm not sure if
> this is the case as we are talking 16 bytes or so.  If stored in
> web.config at the presentation layer, should it be encrypted?  
> 
> Cindy Peluso
> 
<snip>

-- 
Marc-André LAVERDIÈRE, B. Eng., M. A. Sc. (in progress)
Computer Security Laboratory - Laboratoire de sécurité informatique
CIISE, Université Concordia University, Montréal, Québec, Canada
www.ciise.concordia.ca

/"\
\ /    ASCII Ribbon Campaign
  X      against HTML e-mail
/ \

"Perseverance must finish its work so that you may be mature and 
complete, not lacking anything." -James 1:4

----------------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list