Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Page 1 of 2 12 LastLast
Results 1 to 15 of 21
  1. #1
    Regular Coder
    Join Date
    Aug 2003
    Posts
    565
    Thanks
    0
    Thanked 0 Times in 0 Posts

    hasing function or encrypt/decrypt?

    Hi, I'm posting this thread in relation to this other thread I've posted: http://www.codingforums.com/showthre...208#post147208
    Since my question is dissociated from the question I asked in this one, I prefer having a new thread on this but I still give this link so you can have more infos about my actual worries . I've been performing a CF search about this topic but I still would like to have more inputs about it...

    Here it goes. What would you suggest for the best protection for a community site that has login, password, names of members and such personnal infos as day of birth: a hashing function or an encrypt/decrypt method? It's not "top secret" classified infos, but I would like to guarantee privacy as much as I can. And how I often say: "good choice made once, good choice made for ever"

    So don't hesitate to share your personnal experience, what you've chosen and what is the good and bad side of one or the other way of protecting data according to you.
    Last edited by jeskel; 11-06-2003 at 07:13 PM.

  • #2
    Regular Coder
    Join Date
    Jun 2002
    Posts
    185
    Thanks
    0
    Thanked 0 Times in 0 Posts
    I'd use hashes for the passwords. It's the most secure method since they can't be decrypted. Be sure to add a salt as well.

    Encryption would be best for personal data, since that data needs to be decrypted in order to be displayed to the user. You'd want to store the keys securely, somewhere apart from the actual data.

    Also, be sure to use SSL on the site since all passwords and data would otherwise be sent over the wire in plain-text.

  • #3
    Regular Coder
    Join Date
    Aug 2003
    Posts
    565
    Thanks
    0
    Thanked 0 Times in 0 Posts
    ok Brainjar, I'll follow your advices. Thanx a lot... what i've to do is now much clearer to me. If you have an encryption script you would recommend, don't hesitate...

  • #4
    raf
    raf is offline
    Master Coder
    Join Date
    Jul 2002
    Posts
    6,589
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Just to avoid cobfusiob:

    encryption = reversable, so use encryption/decription if you need to recover the original message.
    hashing = not reversable, so us it if you need to store content that must not be recovered, like passwords.

    But which method you use, doesn't depend on the content or how sensitive it is. It depends on what you use it for. If you need to transmit content, you'll be encrypting it (that's bascally what SSL does : encrypting it with a sessionkey).
    If you just need to store it, to compare it with other processed values at a latr date, then hashing is the logical option (not because it's so much safer, but because you shouldn't be able to get the original values --> not realy ethical if you can read your clients passwords, since a lott of them always use the same ...

  • #5
    Regular Coder
    Join Date
    Oct 2003
    Location
    London, UK
    Posts
    411
    Thanks
    0
    Thanked 1 Time in 1 Post
    I agree with all the above, and would like to add that you should salt+hash the password on the client (using a JavaScript hash script), so that the plaintext (i.e. the unencrypted password) is never transmitted. This maximises security at all points in the system.
    Marcus Tucker / www / blog
    Web Analyst Programmer / Voted SPF "ASP Guru"

  • #6
    Senior Coder
    Join Date
    Jun 2002
    Location
    41° 8' 52" N -95° 53' 31" W
    Posts
    3,660
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Hey raf, is there something wrong with your "n" key - or do you have a cold?

    cobfusiob
    P.S. All this talk of hash and salt makes me hungry.
    Last edited by whammy; 11-08-2003 at 03:17 AM.
    Former ASP Forum Moderator - I'm back!

    If you can teach yourself how to learn, you can learn anything. ;)

  • #7
    Regular Coder
    Join Date
    Aug 2003
    Posts
    565
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Originally posted by M@rco
    I agree with all the above, and would like to add that you should salt+hash the password on the client (using a JavaScript hash script), so that the plaintext (i.e. the unencrypted password) is never transmitted. This maximises security at all points in the system.
    Thank you guys for sharing your knowledge... very instructive. Now I'm clear about encryption and hashing function, what it does and where to use it... but.................................salt? Even after performing a serch, I'm still a bit confused. Someone feels like explaining the relation between salt and hash and how they interact and why use also salt? Thanx a lot

  • #8
    Regular Coder
    Join Date
    Oct 2003
    Location
    London, UK
    Posts
    411
    Thanks
    0
    Thanked 1 Time in 1 Post
    Originally posted by bouchel
    Someone feels like explaining the relation between salt and hash and how they interact and why use also salt? Thanx a lot
    See here:
    http://aspnet.4guysfromrolla.com/articles/112002-1.aspx
    Marcus Tucker / www / blog
    Web Analyst Programmer / Voted SPF "ASP Guru"

  • #9
    Regular Coder
    Join Date
    Aug 2003
    Posts
    565
    Thanks
    0
    Thanked 0 Times in 0 Posts
    great readings!

  • #10
    Regular Coder
    Join Date
    Aug 2003
    Posts
    565
    Thanks
    0
    Thanked 0 Times in 0 Posts
    So now I'm clear with the fact that there are standards algorythms used for hashing functions like MD5, SHA etc...
    I was wondering if there was also some "standards" in encryption/decryption? I'm still searching for a good scripting solution for encryption/decryption... Does anyone has a recommendation? And if someone feels like explaining the main differences between MD5 and SHA (just the major ones) I'm curious about it... thanx a lot

  • #11
    Regular Coder
    Join Date
    Oct 2003
    Location
    London, UK
    Posts
    411
    Thanks
    0
    Thanked 1 Time in 1 Post
    As with all things, you must choose an acceptable tradeoff between speed & security. The more secure something is, the more complex the encryption & decryption alogrithms, and hence the greater the processing time. If you're implementing the algorithms in pure script, this processing overhead can quickly become significant, which is why you should ideally use a compiled (i.e. COM) component to perform the hashing or encryption/decryption.

    With hashing, the result you get at the end is called the "digest", and the greater the size (in bits) this is, the more secure the hash is. MD5 is 128bit, SHA-1 is 160bit. The same principle applies to 2-way ciphers, such as PGP, Blowfish, etc.

    See these for more on hashing:
    http://www.w3.org/TR/1998/REC-DSig-label/MD5-1_0
    http://www.secure-hash-algorithm-md5-sha-1.co.uk/

    As far as encryption & decryption goes, I use RC4 in my ASP apps, since it provides a good tradeoff between security and speed. There are VBScript implementations freely available. But it all depends on what you are protecting.

    Anyway, cryptography is a fascinating subject, and there is plenty on the web... seek and ye shall find!

    Last edited by M@rco; 11-11-2003 at 11:58 PM.
    Marcus Tucker / www / blog
    Web Analyst Programmer / Voted SPF "ASP Guru"

  • #12
    Regular Coder
    Join Date
    Aug 2003
    Posts
    565
    Thanks
    0
    Thanked 0 Times in 0 Posts
    thanx a lot M@rco I'll read that and will check for the script you recommend.

  • #13
    Regular Coder
    Join Date
    Oct 2003
    Location
    London, UK
    Posts
    411
    Thanks
    0
    Thanked 1 Time in 1 Post
    Just thought I'd clarify that just because two encryption schemes have the same quoted bits (e.g. 256bit), it doesn't mean that they are equally secure or as slow/quick to process. Every encryption scheme is different and has its own strengths and weaknesses, pros and cons.

    Some can be easily cracked by your desktop computer in seconds, some might take 15 billion years for all the combined computing power on the Earth to crack!

    One of the most significant cracks recently has been the Israelis who have cracked GSM, the encryption system used in modern digital mobile phones. However, I suspect that the US & UK have been able to do this for some time anyway - they have an Echelon to run, don't you know....

    http://www.theregister.co.uk/content/archive/21680.html
    http://www.bernal.co.uk/capitulo3.htm

    Marcus Tucker / www / blog
    Web Analyst Programmer / Voted SPF "ASP Guru"

  • #14
    Senior Coder
    Join Date
    Jun 2002
    Location
    41° 8' 52" N -95° 53' 31" W
    Posts
    3,660
    Thanks
    0
    Thanked 0 Times in 0 Posts
    This has been enlightening to me as well. Heck, all this time I've been "salting" stuff, and I didn't even know the term.

    Just makes sense mathematically - even if you salt without hashing.
    Former ASP Forum Moderator - I'm back!

    If you can teach yourself how to learn, you can learn anything. ;)

  • #15
    Regular Coder
    Join Date
    Aug 2003
    Posts
    565
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Originally posted by M@rco
    Just thought I'd clarify that just because two encryption schemes have the same quoted bits (e.g. 256bit), it doesn't mean that they are equally secure or as slow/quick to process. Every encryption scheme is different and has its own strengths and weaknesses, pros and cons.
    I guess it's the same with hashing since it's a one-way encryption. As raf pointed out in that thread (http://www.codingforums.com/showthre...threadid=28577) MD5 might be "compromised" but that made me wonder, is there one MD5 way of scripting the algorythm or can you have multiple different MD5s? My question also applies to other standards. Thanx a lot for help M@rco.


  •  
    Page 1 of 2 12 LastLast

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •