...

View Full Version : hasing function or encrypt/decrypt?



jeskel
11-06-2003, 05:35 PM
Hi, I'm posting this thread in relation to this other thread I've posted: http://www.codingforums.com/showthread.php?s=&postid=147208#post147208
Since my question is dissociated from the question I asked in this one, I prefer having a new thread on this but I still give this link so you can have more infos about my actual worries :). I've been performing a CF search about this topic but I still would like to have more inputs about it...

Here it goes. What would you suggest for the best protection for a community site that has login, password, names of members and such personnal infos as day of birth: a hashing function or an encrypt/decrypt method? It's not "top secret" classified infos, but I would like to guarantee privacy as much as I can. And how I often say: "good choice made once, good choice made for ever" ;)

So don't hesitate to share your personnal experience, what you've chosen and what is the good and bad side of one or the other way of protecting data according to you.

BrainJar
11-07-2003, 02:55 PM
I'd use hashes for the passwords. It's the most secure method since they can't be decrypted. Be sure to add a salt as well.

Encryption would be best for personal data, since that data needs to be decrypted in order to be displayed to the user. You'd want to store the keys securely, somewhere apart from the actual data.

Also, be sure to use SSL on the site since all passwords and data would otherwise be sent over the wire in plain-text.

jeskel
11-07-2003, 03:59 PM
ok Brainjar, I'll follow your advices. Thanx a lot... what i've to do is now much clearer to me. If you have an encryption script you would recommend, don't hesitate... :thumbsup:

raf
11-07-2003, 06:13 PM
Just to avoid cobfusiob:

encryption = reversable, so use encryption/decription if you need to recover the original message.
hashing = not reversable, so us it if you need to store content that must not be recovered, like passwords.

But which method you use, doesn't depend on the content or how sensitive it is. It depends on what you use it for. If you need to transmit content, you'll be encrypting it (that's bascally what SSL does : encrypting it with a sessionkey).
If you just need to store it, to compare it with other processed values at a latr date, then hashing is the logical option (not because it's so much safer, but because you shouldn't be able to get the original values --> not realy ethical if you can read your clients passwords, since a lott of them always use the same ...

M@rco
11-07-2003, 07:41 PM
I agree with all the above, and would like to add that you should salt+hash the password on the client (using a JavaScript hash script), so that the plaintext (i.e. the unencrypted password) is never transmitted. This maximises security at all points in the system.

whammy
11-08-2003, 02:04 AM
Hey raf, is there something wrong with your "n" key - or do you have a cold? :p


cobfusiob

P.S. All this talk of hash and salt makes me hungry.

jeskel
11-10-2003, 10:03 AM
Originally posted by M@rco
I agree with all the above, and would like to add that you should salt+hash the password on the client (using a JavaScript hash script), so that the plaintext (i.e. the unencrypted password) is never transmitted. This maximises security at all points in the system.
Thank you guys for sharing your knowledge... very instructive. Now I'm clear about encryption and hashing function, what it does and where to use it... but.................................salt? Even after performing a serch, I'm still a bit confused. Someone feels like explaining the relation between salt and hash and how they interact and why use also salt? Thanx a lot :thumbsup:

M@rco
11-10-2003, 10:15 AM
Originally posted by bouchel
Someone feels like explaining the relation between salt and hash and how they interact and why use also salt? Thanx a lot :thumbsup: See here:
http://aspnet.4guysfromrolla.com/articles/112002-1.aspx

jeskel
11-10-2003, 10:23 AM
great readings! :thumbsup:

jeskel
11-11-2003, 10:39 PM
So now I'm clear with the fact that there are standards algorythms used for hashing functions like MD5, SHA etc...
I was wondering if there was also some "standards" in encryption/decryption? I'm still searching for a good scripting solution for encryption/decryption... Does anyone has a recommendation? And if someone feels like explaining the main differences between MD5 and SHA (just the major ones) I'm curious about it... thanx a lot :)

M@rco
11-11-2003, 10:49 PM
As with all things, you must choose an acceptable tradeoff between speed & security. The more secure something is, the more complex the encryption & decryption alogrithms, and hence the greater the processing time. If you're implementing the algorithms in pure script, this processing overhead can quickly become significant, which is why you should ideally use a compiled (i.e. COM) component to perform the hashing or encryption/decryption.

With hashing, the result you get at the end is called the "digest", and the greater the size (in bits) this is, the more secure the hash is. MD5 is 128bit, SHA-1 is 160bit. The same principle applies to 2-way ciphers, such as PGP, Blowfish, etc.

See these for more on hashing:
http://www.w3.org/TR/1998/REC-DSig-label/MD5-1_0
http://www.secure-hash-algorithm-md5-sha-1.co.uk/

As far as encryption & decryption goes, I use RC4 in my ASP apps, since it provides a good tradeoff between security and speed. There are VBScript implementations freely available. But it all depends on what you are protecting.

Anyway, cryptography is a fascinating subject, and there is plenty on the web... seek and ye shall find!

;)

jeskel
11-11-2003, 10:58 PM
thanx a lot M@rco :thumbsup: I'll read that and will check for the script you recommend. :)

M@rco
11-12-2003, 12:45 AM
Just thought I'd clarify that just because two encryption schemes have the same quoted bits (e.g. 256bit), it doesn't mean that they are equally secure or as slow/quick to process. Every encryption scheme is different and has its own strengths and weaknesses, pros and cons.

Some can be easily cracked by your desktop computer in seconds, some might take 15 billion years for all the combined computing power on the Earth to crack!

One of the most significant cracks recently has been the Israelis who have cracked GSM (http://www.theregister.co.uk/content/55/32653.html), the encryption system used in modern digital mobile phones. However, I suspect that the US & UK have been able to do this for some time anyway - they have an Echelon to run, don't you know....

http://www.theregister.co.uk/content/archive/21680.html
http://www.bernal.co.uk/capitulo3.htm

;)

whammy
11-12-2003, 01:27 AM
This has been enlightening to me as well. Heck, all this time I've been "salting" stuff, and I didn't even know the term.

Just makes sense mathematically - even if you salt without hashing. :p

jeskel
11-12-2003, 09:56 AM
Originally posted by M@rco
Just thought I'd clarify that just because two encryption schemes have the same quoted bits (e.g. 256bit), it doesn't mean that they are equally secure or as slow/quick to process. Every encryption scheme is different and has its own strengths and weaknesses, pros and cons.
;)
I guess it's the same with hashing since it's a one-way encryption. As raf pointed out in that thread (http://www.codingforums.com/showthread.php?s=&threadid=28577) MD5 might be "compromised" but that made me wonder, is there one MD5 way of scripting the algorythm or can you have multiple different MD5s? My question also applies to other standards. Thanx a lot for help M@rco.

M@rco
11-12-2003, 10:54 AM
Yes, it's the same with hashing.

MD5 is a "standard" hashing algorithm (also known as a scheme), as as such all implementations of the algorithm must produce EXACTLY THE SAME output given the same input. Otherwise they would be useless - it is vitally important that MD5 checksums produced by any software on any PC are directly comparable!

Of course, some implementations may be more optimized than others (there's always room for improvement, up to a point), or perhaps use a completely different way of generating the outut, but to the outside world they must all "look" the same. You should realise that the more a scheme can be optimized, the less secure it is likely to be, since it is corresondingly more likely that the decryption could be optimized, thereby reducing the codebreaking time (remember, optimization = timesaving shortcuts).

The best publically available encryption and hashing algorithms are open standards (i.e. the algorithms are published and peer-reviewed) - they enable computer systems worldwide to communicate securely, and for security flaws (such as to be spotted.

jeskel
11-12-2003, 01:53 PM
I really want to thank you a lot for those very helpfull explanations M@rco... Hope this thread will help people if further questions on this topic were to be asked. thanx again :thumbsup:

:)

M@rco
11-12-2003, 02:33 PM
Y'welcome!

;)

jeskel
12-01-2003, 07:49 PM
I've just noticed that this thread got a five stars rate (at least at the moment I'm writing). I thought it was worth a post to propose people 'round here to give some more links about where good hash functions and encrypt/decrypt code could be found. I think that would make this thread more "complete" for further reference. And if you have something to add about this topic, feel free to do it.
:)

Caffeine
12-01-2003, 08:06 PM
Bah, I take that as a qualified bumping-attempt!
Shame on you, lol! ;)

Seriously though, it is a nice thread. I love this board for the knowledge that is around, and for people like yourself who ask good questions. :thumbsup:

I must say, for a newbie [if I can call you that] you have gotten to the advanced stuff real fast!

Sorry for the very-much offtopics.

jeskel
12-01-2003, 08:48 PM
Originally posted by Caffeine
Bah, I take that as a qualified bumping-attempt!
Shame on you, lol! ;)

Makes me remember of our first meeting... lol :p
thanx for the kind words. However to bring it back "on topic", I'll add for yourself a link that you provided in the related thread that I already mentionned above (which unfortunatly didn't get rated ;)): http://www.codingforums.com/showthread.php?s=&threadid=28577

Originally posted by Caffeine
I'm using the MD5-function from this site: http://www.frez.co.uk/freecode.htm#md5

There is also a SHA256-function on that site but I haven't tried it so I can't say if it's good or not.
<edit>
am I not nice? bringing you back ontopic and doing the work for yourself? :p
</edit>



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum