[aerogear-dev] Push server...master secrets, secrets and some refactoring proposal

Karel Piwko kpiwko at redhat.com
Wed Apr 16 12:02:12 EDT 2014


Still not there.

If we store *secret key* and *salt* in DB, whoever gets access to DB can
compute derived key via PDKDF2, right?

Is the security increased because hackers need to acquire two values instead of
one?

On Wed, 16 Apr 2014 12:39:13 -0300
Bruno Oliveira <bruno at abstractj.org> wrote:

> Chillax and feel free to ask. Master secret must be kept with our
> user/developer/client, technically it will only generated a new secret
> if we got a new PushApplication.
> 
> If the server is restarted the *salt* and *secret key* will be still
> there into the database. So basically on the next request we execute the
> following function:
> 
> keyForComparison = PBKDF2(masterSecret, salt)
> 
> Then we check against the database if the key matches with the stored
> into the database. Does it make sense to you?
> 
> Karel Piwko wrote:
> > Sorry my ignorance, does it mean that if I restart application server or
> > redeploy UPS, master secret will be changed? 
> >
> > For master secret, that's not that big concern, I believe. People just need
> > to grab master secret from UPS before adding variants from CLI.
> >
> > But if variant secrets are recomputed as well, all existing application
> > installations will cease to work!
> 



More information about the aerogear-dev mailing list