I've been searching the internet and I've come up with a lot of answers of how to store paypal API credentials(Used in Paypal Express Checkout.) They say to hash the credentials using salt. But what I don't understand is how and where to store the salt. If they get access to the salt, can't they just un-hash the credentials? That doesn't seem very secure to me. They say not to hard-code the API credentials, but any other way still seems really vulnerable. Thanks for taking the time to look at my questions. I'd really appreciate help.
Asked
Active
Viewed 811 times
1 Answers
1
Hashing them doesn't make a lot of sense, because by definition, once you hash something, you can't get it back (unhashing is not possible, but you can crack a hash using a rainbow table or brute force). Normally if you salt a hash, you store the salt along with the hash, so that it's possible to compare something to the hash; the only thing a salt does is makes rainbow attacks more difficult.
I suggest storing them in a file that is restricted somehow (readable only by root for instance). Then, your checkout service could read the file before dropping privileges, similar to how X.509 certificates are usually handled.
Hardcoding them is generally pretty vulnerable; it means that if for any reason someone can see your source, they have the credentials (eg. if the handler is set wrong).
Falcon Momot
- 25,244
- 15
- 63
- 92
-
Hey, thanks for replying! What exactly do you mean by, "dropping privilages"? And how would I go about making the file only accessible by root? – Sequence Sep 15 '12 at 00:55
-
You can set its owner and group to root, and set it mode 600. A service drops root privileges when it calls setuid() and setgid() to a non-root user (these are C functions); I suggest asking on stackoverflow if you want to know how to make your daemon do this. – Falcon Momot Sep 15 '12 at 00:58
-
So, you're saying to remove privilages when I don't need it, and give privilages when I do? I'm using Php by the way. – Sequence Sep 15 '12 at 01:11