[WEB SECURITY] Salt Storage - web.config or database?
ma_laver at ciise.concordia.ca
Fri Jun 2 16:29:27 EDT 2006
Brian Eaton wrote:
> On 6/1/06, Marc-André Laverdière <ma_laver at ciise.concordia.ca> wrote:
>> P.S. Make sure that you use a cryptographically strong random number
>> generator. .NET should normally be having one of those
> Does a salt actually need to be generated using a strong RNG?
> - Brian
If you choose to have your salts separate from your hash, then you want
to make the guessing game harder for your attacker. Weak PRNGs could
essentially let your attacker deduce the sequence of salts with some
effort and thus get no real benefit in hiding them. This point is not an
impressive one if you give away the hash anyway but is the strongest
It can get your developers used to using one, so that they don't
hesitate to do so when it'll be required for other applications. Not a
very strong point, in appearance, but a more important one that one may
think. This opens the door to your staff to learn more about security
and thus getting some 'on-the-side' security training done.
As a principle in crypto, yes. Crypto-level algorithms should be used in
cryptographic operations. You don't want to compromise a scheme because
of something so simple (think about Kerberos 4 for a second, then think
about point 1) :)
It has more bragging potential (don't underestimate this point... honestly)
Corollary to point 4, this looks much better if you need to defend your
design for any given reason.
I'd encourage you to have a read at PKCS5.
They have a section only on salting. My understanding is that the
cryptographic community assumes a cryptographically strong random number
generator whenever they talk about a random number (which was my point 3).
Those are the best points I can think of (I'm not a cryptographer) and I
hope I am making sense overall.
Marc-André LAVERDIÈRE, B. Eng., M. A. Sc. (in progress)
Computer Security Laboratory - Laboratoire de sécurité informatique
CIISE, Université Concordia University, Montréal, Québec, Canada
\ / ASCII Ribbon Campaign
X against HTML e-mail
"Perseverance must finish its work so that you may be mature and
complete, not lacking anything." -James 1:4
The Web Security Mailing List
The Web Security Mailing List Archives
More information about the websecurity