.config files cannot be read over the internet when .net is installed unless
there is a configuration error on the system and the script mapping is
removed, or dotnet isn't installed yet (of course ignoring any future iis
hacks to get this information). How secure are your salts - and how secure
do they need to be? (unix salts for instance are known).
It may not increase db total network traffic by much, but does require a
connection from the pool for every time you read it (unless you read on
application startup and store them all in memory). If you keep it in the
database, I'd load upon app startup. If you keep in web.config, the
permissions you need on that file aren't very restrictive anyway (again,
provided proper asp.net working environment, web.config isn't accessible
through iis).
6 of one, 1/2 dozen of the other.
if webserver is compromised, this information can be retrieved.
if db server is compromised, sql injection for ex could be used to get the
information.
if your webserver isn't in a dmz, one could use potentially misconfigured
security on the db server to get the information from your webserver anyway
(through allowing xp_cmdshell for instance)
On could make an argument though that its better that the hashes and salts
are separated if you use the db for hashes and salts in .config.
----- Original Message -----
From: <cynthia.peluso@us.ngrid.com>
To: <webappsec@securityfocus.com>
Sent: Thursday, June 01, 2006 10:20 AM
Subject: Salt Storage - web.config or database?
Where is the best place to store salts? I have developers that will be
using the Microsoft random number generator (ASP.NET ) to generate a salt to
append to the password and then hash. They want to store the salt in the
web.config file and the password hashes in the database. What is best
practice for salt storage? The developer's concern is that storing the
salts in the database will increase traffic volume. I'm not sure if this is
the case as we are talking 16 bytes or so. If stored in web.config what
level of protection is required?
Cindy
-------------------------------------------------------------------------
Sponsored by: Watchfire
Watchfire named worldwide market share leader in web application
security assessment by leading market research firm. Watchfire's AppScan
is the industry's first and leading web application security testing
suite, and the only solution to provide comprehensive and consolidated
remediation task lists at every level of the application. See for
yourself.
Download a Free Trial of AppScan 6.0 today!
https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007t9c
--------------------------------------------------------------------------
-------------------------------------------------------------------------
Sponsored by: Watchfire
Watchfire named worldwide market share leader in web application
security assessment by leading market research firm. Watchfire's AppScan
is the industry's first and leading web application security testing
suite, and the only solution to provide comprehensive and consolidated
remediation task lists at every level of the application. See for
yourself.
Download a Free Trial of AppScan 6.0 today!
https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007t9c
--------------------------------------------------------------------------
