kreut — 2013-04-27T19:31:53-04:00 — #1
I'm implementing a third party application to an LMS. Users sign up for the LMS and my site separately. However, I'm integrating them so that a user can sign into the LMS, and after an initial log in be automatically logged in to the LMS every time that they log into the LMS. To make sure that the user in the LMS is authorized to get into my site, they have a consumer key and secret which I then check using oAuth. As part of the oAuth process (this is my first time using oAuth), both the user and I have to have a plaintext copy of the secret. I'll keep my copy in my database, which leads me to be concerned about security; if somebody got access to the database, they could just grab the key and secret. My question, then, is whether there are ways to make the secret more secure.
banana_man — 2013-04-28T12:15:46-04:00 — #2
You can hash the secret before inserting it into your database. When you want to compare the users secret with yours, use the same hash algorithm to hash the users secret and compare this hash with the hash saved in your database.
$hashed_secret = hash_hmac('sha512', $secret, 'randon string');
You will need to use the same 'random string' every time. Use a rondom string of characters and symbols of a decent length of maybe 50 characters.
kreut — 2013-04-28T14:09:23-04:00 — #3
With the oAuth process, I don't actually see the secret that gets posted from the LMS (I get an oAuth signature which I have to verify). However, I can easily tweak your suggestion to make it work for me: I'll just store the "secret" in my DB, give the Consumer the hashed version, and then check a hashed version of my secret, where the "random string" is kept in a config file out of my public directory. Thank you for your suggestion.