Title says all; Is it safe to hold key file's hash (MD5 or SHA1) in application (hard-coded)?
Thanks
Asked
Active
Viewed 176 times
2
-
4It looks like we need some more context: What type of key do you have there, for what do you use it, for which goal do you want to hard-code a hash of it? – Paŭlo Ebermann Oct 13 '12 at 22:51
-
@PaŭloEbermann: AES key, Encrypting/Decrypting files that application works with (also application configuration file); for #1) identifing it on a USB storage #2) being sure that it is my key – Ariyan Oct 14 '12 at 07:03
-
If you can hardcode a hash of the key into your application, why can't you just hardcode the key itself? – Ilmari Karonen Oct 15 '12 at 11:44
1 Answers
1
The only danger is that the application now holds a fingerprint of your key. Thus enables the possibility to do some attacks, like bruteforce, and something to check against. And so it really comes down to the "same old question" as of how to keep your password-storage safe. If the key-file is a large one and somewhat random, then bruteforce is most certainly out of the feasible picture, however if it's not or the key-file is a common file or just a text-file containing a common word, the attack methods doesn't differ that much from what every webapp developer is trying to secure.
