盐的位置、盐的隐藏
我对以下场景有疑问:
我想使用jasypt来加密我的密码并使用某种盐进行加密。
如果:
,这是否有意义(或者是否有任何安全隐患) 我使用基于密码的加密,使用从环境变量中获取的密码来加密盐,这样我就可以在属性文件中获取盐的加密值,从那里获取它,通过我从环境变量中获取的密码解密它环境变量(实际上我将有一个EnvironmentStringPBEConfig对象,它反过来从EnvironmentStringPBEConfig对象获取环境变量,并在创建EnvironmentStringPBEConfig后删除环境变量),最后使用salt。
谢谢。
编辑:请注意,我想知道如上所述“隐藏”盐是否是一个好的做法,我现在没有实施这样的解决方案。
编辑:另请注意 OWASP 的以下建议。
建议:让窃取整个盐变得困难
对于基本加盐机制,还有许多额外的建议增强功能可供考虑:
拥有一个额外的“系统”盐,它是整个系统的固定值。这应该存储在某个配置文件中。这个固定值不必包含在每个备份中,这使得攻击者更难破坏正确计算哈希值所需的所有元素。 在源代码中嵌入部分系统盐。这对于开源代码来说没有多大帮助,但对于自定义应用程序来说,在代码中包含部分系统盐将是攻击者正确计算哈希值所需的另一项要求。 每次更改用户密码时,都会为帐户生成新的盐。
建议:加盐隔离
另一种密码存储防御机制是将加盐存储在与密码哈希不同的位置。使用服务器的文件系统是盐隔离的一种常用机制,假设密码散列存储在不同的位置(例如数据库或 LDAP 服务器)。这种防御机制可以降低数据库文件被盗时密码被盗的风险,因为盐不会包含在数据库数据中。请小心确保密码哈希值和盐不要一起备份,它们也应该单独备份。
i have a question regarding the following scenario:
I want to use jasypt to encrypt my password and use a certain salt for encryption.
Does it make sense(or is there any security implication) if :
I use password based encryption to encrypt the salt with a password that I get from an environment variable, that way i can have the encrypted value of the salt in a property file, get it from there , decrypt it via the password i get from the environment variable (actually i am going to have a EnvironmentStringPBEConfig object which in turn gets the environment variable from EnvironmentStringPBEConfig object and delete the environment variable once the EnvironmentStringPBEConfig is created) and finally use the salt.
Thank you.
Edit: please note that i would want to know if "hiding" the salt as described above is a good practice, i am not implementing such solution right now.
EDIT: Also please note the following recommendations from OWASP.
Recommendation: Make it hard to steal the entire salt
There are a number of additional recommended enhancements to the basic salting mechanism for consideration:
Have an additional 'system' salt that is a fixed value for the entire system. This should be stored in a configuration file somewhere. This fixed value would not have to be included every backup, making it even harder for an attacker to compromise all elements required to calculate the hash value properly.
Embedding a portion of the system salt in the source code. This wouldn't be that helpful for open source code, but for custom applications, having part of your system salt in the code would be yet one more item required by an attacker to calculate the hash value properly.
Generating a new salt for an account each time that user's password is changed.
Recommendation: Salt Isolation
An additional password storage defense mechanism involves storing the salt in a different location than the password hash. Use of the server's filesystem is one commonly used mechanism for salt isolation, assuming the password hashes are stored in different location such as a database or LDAP server. This defense mechanism reduces the risk of password theft when the database file is stolen, since the salts will not be included with the database data. Be careful to ensure that both the password hashes and the salts are not backed up together, they should also be backed up in isolation.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
为什么要加密盐?盐通常是公共信息 - 它们的存在只是为了防止对密码数据库进行预先计算的“彩虹表”离线攻击。我认为你需要更清楚你正在尝试做什么以及为什么。
Why do you want to encrypt a salt? Salts are normally public information - they only exist to prevent pre-computed "rainbow-table" offline attacks on databases of passwords. I think you need to be clearer about what you are attempting to do and why.