[Webappsec] String encryption for string obfuscation
Dirk Wetter
dirk.wetter at drwetter.org
Wed Aug 1 09:02:42 EDT 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
On 01.08.2007 14:37, Tobias Gondrom wrote:
> Hi Roberto,
>
> yep, it is bad practice. ;-)
[..]
> Ps.: and as a disclaimer just my 5 cents: I also heard this statement
> "we can't do without keeping the secret in the code" many times from my
> developers as well.
It's a violation of Kerckhoff's principle and security thru obscurity.
Your approach of using way hash functions is the right approach.
- --
Dirk Wetter @ Dr. Wetter IT Consulting http://drwetter.org
Beratung IT-Sicherheit + Open Source
Key fingerprint = 2AD6 BE0F 9863 C82D 21B3 64E5 C967 34D8 11B7 C62F
- -
Found core file older than 7 days: /usr/share/man/man5/core.5.gz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEAREDAAYFAkawhHIACgkQyWc02BG3xi/pGACfXJbPlp1fFX6Ay6LmyNUspsf/
fwoAoJ3/Z65+3wYgn/QT1xMMdMafDKYY
=431b
-----END PGP SIGNATURE-----
More information about the Webappsec
mailing list