Still not there.
If we store *secret key* and *salt* in DB, whoever gets access to DB can
compute derived key via PDKDF2, right?
Is the security increased because hackers need to acquire two values instead of
one?
On Wed, 16 Apr 2014 12:39:13 -0300
Bruno Oliveira <bruno(a)abstractj.org> wrote:
Chillax and feel free to ask. Master secret must be kept with our
user/developer/client, technically it will only generated a new secret
if we got a new PushApplication.
If the server is restarted the *salt* and *secret key* will be still
there into the database. So basically on the next request we execute the
following function:
keyForComparison = PBKDF2(masterSecret, salt)
Then we check against the database if the key matches with the stored
into the database. Does it make sense to you?
Karel Piwko wrote:
> Sorry my ignorance, does it mean that if I restart application server or
> redeploy UPS, master secret will be changed?
>
> For master secret, that's not that big concern, I believe. People just need
> to grab master secret from UPS before adding variants from CLI.
>
> But if variant secrets are recomputed as well, all existing application
> installations will cease to work!