[Webappsec] String encryption for string obfuscation

roberto battistoni rbattistoni at acm.org
Wed Aug 1 09:14:42 EDT 2007 

yes, it's a best practice :-)

In my hypothesis, the application needs the secret to authenticate
itself on another system. So the hash is not very useful because it is
one-way function.

Have I understood your idea?

thanks


roberto

2007/8/1, Tobias Gondrom <tgondrom at opentext.com>:
> Hi Roberto,
>
> yep, it is bad practice. ;-)
>
> One comment on the string obfuscation, in case you haven't thought of it
> already:
> You should apply your obfuscation on the hash of the secret (password)
> not the password itself.
> obfuscated_Secret = obscure_complicated_algorithm ( hash(password) )
>
> Best regards, Tobias
>
>
> Ps.: and as a disclaimer just my 5 cents: I also heard this statement
> "we can't do without keeping the secret in the code" many times from my
> developers as well. But after a short analysis, really every time it
> turned out not to be necessary and we eventually found a way without the
> secret in the code.
>
>
>
> > -----Original Message-----
> > From: webappsec-bounces at lists.owasp.org [mailto:webappsec-
> > bounces at lists.owasp.org] On Behalf Of roberto battistoni
> > Sent: Wednesday, August 01, 2007 2:08 PM
> > To: webappsec at lists.owasp.org
> > Subject: [Webappsec] String encryption for string obfuscation
> >
> > Hi,
> >
> > I know that storing password in the code is a bad practice, but
> > sometime it is necessary to store a secret in the code because there
> > is any authentication from the user. The code is the authentication
> > token!
> >
> > If we develop the application on a low level language there are many
> > ways to obfuscate the secret, but in a VM language as Java and C# only
> > string encryption could mitigate the secret disclosure from an
> > attacker.
> >
> > Obviously if I want to encrypt a secret I need another secret to
> > implement the encryption and this is not a good idea ;-)  or I can use
> > an obscure and very complicated algorithm to implement the obfuscation
> > of the string.
> >
> > In the second scenario with a decompiler a smart attacker can still
> > retrieve the secret, but surely with this obfuscation it is harder to
> > do.
> >
> > I have found some code that implement string encryption technique on
> > C#, but in Java there isn't any code to implement it.
> >
> > I ask you some help on this topic.
> >
> > Thanks
> >
> > Roberto
> > _______________________________________________
> > Webappsec mailing list
> > Webappsec at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/webappsec
>


-- 
"il saggio è colui che sa di non sapere" (socrate)

More information about the Webappsec mailing list