Question

i have a question regarding the following scenario:
I want to use jasypt to encrypt my password and use a certain salt for encryption.

Does it make sense(or is there any security implication) if :
I use password based encryption to encrypt the salt with a password that I get from an environment variable, that way i can have the encrypted value of the salt in a property file, get it from there , decrypt it via the password i get from the environment variable (actually i am going to have a EnvironmentStringPBEConfig object which in turn gets the environment variable from EnvironmentStringPBEConfig object and delete the environment variable once the EnvironmentStringPBEConfig is created) and finally use the salt.

Thank you.

Edit: please note that i would want to know if "hiding" the salt as described above is a good practice, i am not implementing such solution right now.

EDIT: Also please note the following recommendations from OWASP.

Recommendation: Make it hard to steal the entire salt

There are a number of additional recommended enhancements to the basic salting mechanism for consideration:

Have an additional 'system' salt that is a fixed value for the entire system. This should be stored in a configuration file somewhere. This fixed value would not have to be included every backup, making it even harder for an attacker to compromise all elements required to calculate the hash value properly. Embedding a portion of the system salt in the source code. This wouldn't be that helpful for open source code, but for custom applications, having part of your system salt in the code would be yet one more item required by an attacker to calculate the hash value properly. Generating a new salt for an account each time that user's password is changed.

Recommendation: Salt Isolation

An additional password storage defense mechanism involves storing the salt in a different location than the password hash. Use of the server's filesystem is one commonly used mechanism for salt isolation, assuming the password hashes are stored in different location such as a database or LDAP server. This defense mechanism reduces the risk of password theft when the database file is stolen, since the salts will not be included with the database data. Be careful to ensure that both the password hashes and the salts are not backed up together, they should also be backed up in isolation.

No correct solution

OTHER TIPS

Why do you want to encrypt a salt? Salts are normally public information - they only exist to prevent pre-computed "rainbow-table" offline attacks on databases of passwords. I think you need to be clearer about what you are attempting to do and why.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top