[Webappsec] String encryption for string obfuscation
rbattistoni at acm.org
Wed Aug 1 09:14:42 EDT 2007
yes, it's a best practice :-)
In my hypothesis, the application needs the secret to authenticate
itself on another system. So the hash is not very useful because it is
Have I understood your idea?
2007/8/1, Tobias Gondrom <tgondrom at opentext.com>:
> Hi Roberto,
> yep, it is bad practice. ;-)
> One comment on the string obfuscation, in case you haven't thought of it
> You should apply your obfuscation on the hash of the secret (password)
> not the password itself.
> obfuscated_Secret = obscure_complicated_algorithm ( hash(password) )
> Best regards, Tobias
> Ps.: and as a disclaimer just my 5 cents: I also heard this statement
> "we can't do without keeping the secret in the code" many times from my
> developers as well. But after a short analysis, really every time it
> turned out not to be necessary and we eventually found a way without the
> secret in the code.
> > -----Original Message-----
> > From: webappsec-bounces at lists.owasp.org [mailto:webappsec-
> > bounces at lists.owasp.org] On Behalf Of roberto battistoni
> > Sent: Wednesday, August 01, 2007 2:08 PM
> > To: webappsec at lists.owasp.org
> > Subject: [Webappsec] String encryption for string obfuscation
> > Hi,
> > I know that storing password in the code is a bad practice, but
> > sometime it is necessary to store a secret in the code because there
> > is any authentication from the user. The code is the authentication
> > token!
> > If we develop the application on a low level language there are many
> > ways to obfuscate the secret, but in a VM language as Java and C# only
> > string encryption could mitigate the secret disclosure from an
> > attacker.
> > Obviously if I want to encrypt a secret I need another secret to
> > implement the encryption and this is not a good idea ;-) or I can use
> > an obscure and very complicated algorithm to implement the obfuscation
> > of the string.
> > In the second scenario with a decompiler a smart attacker can still
> > retrieve the secret, but surely with this obfuscation it is harder to
> > do.
> > I have found some code that implement string encryption technique on
> > C#, but in Java there isn't any code to implement it.
> > I ask you some help on this topic.
> > Thanks
> > Roberto
> > _______________________________________________
> > Webappsec mailing list
> > Webappsec at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/webappsec
"il saggio è colui che sa di non sapere" (socrate)
More information about the Webappsec