Re: Salt Storage - web.config or database?

["Adam Tuliper" <amt () gecko-software com>]

.config files cannot be read over the internet when .net is installed unless 
there is a configuration error on the system and the script mapping is 
removed, or dotnet isn't installed yet (of course ignoring any future iis 
hacks to get this information). How secure are your salts - and how secure 
do they need to be? (unix salts for instance are known).

It may not increase db total network traffic by much, but does require a 
connection from the pool for every time you read it (unless you read on 
application startup and store them all in memory). If you keep it in the 
database, I'd load upon app startup. If you keep in web.config, the 
permissions you need on that file aren't very restrictive anyway (again, 
provided proper asp.net working environment, web.config isn't accessible 
through iis).
6 of one, 1/2 dozen of the other.
if webserver is compromised, this information can be retrieved.
if db server is compromised, sql injection for ex could be used to get the 
information.
if your webserver isn't in a dmz, one could use potentially misconfigured 
security on the db server to get the information from your webserver anyway 
(through allowing xp_cmdshell for instance)

On could make an argument though that its better that the hashes and salts 
are separated if you use the db for hashes and salts in .config.


----- Original Message ----- 
From: <cynthia.peluso () us ngrid com>
To: <webappsec () securityfocus com>
Sent: Thursday, June 01, 2006 10:20 AM
Subject: Salt Storage - web.config or database?


Where is the best place to store salts?  I have developers that will be 
using the Microsoft random number generator (ASP.NET ) to generate a salt to 
append to the password and then hash.  They want to store the salt in the 
web.config file and the password hashes in the database.  What is  best 
practice for salt storage?  The developer's concern is that storing the 
salts in the database will increase traffic volume. I'm not sure if this is 
the case as we are talking 16 bytes or so.  If stored in web.config what 
level of protection is required?

Cindy

-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire named worldwide market share leader in web application
security assessment by leading market research firm. Watchfire's AppScan
is the industry's first and leading web application security testing
suite, and the only solution to provide comprehensive and consolidated
remediation task lists at every level of the application. See for
yourself.
Download a Free Trial of AppScan 6.0 today!

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007t9c
--------------------------------------------------------------------------



-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire named worldwide market share leader in web application
security assessment by leading market research firm. Watchfire's AppScan
is the industry's first and leading web application security testing
suite, and the only solution to provide comprehensive and consolidated
remediation task lists at every level of the application. See for
yourself.
Download a Free Trial of AppScan 6.0 today!

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007t9c
--------------------------------------------------------------------------