in reply to What *are* the best ways to encrypt data?

As far as #2 goes:
1. Use SSL
2. A better method would be to hash the user's password into the DB. Then, instead of decrypting & comparing to the one they entered, you would hash the one they entered and compare to the hash in the DB. You can verify they actually typed the correct password since the hash will be unique. Although this doesn't stop brute-forcing if the password hash is compromised, it does protect from "knowing an algorithm" (since you can't reverse the results of a hash).

Footnote: Recent events bring some question to the uniqueness of hashes, but the results they found are for very special cases (so far). Its something we need to keep an eye on, but I don't think it invalidates hash-usage approaches just yet.


- jbWare
  • Comment on Re: What *are* the best ways to encrypt data?

Replies are listed 'Best First'.
Re^2: What *are* the best ways to encrypt data?
by bradcathey (Prior) on Aug 27, 2004 at 12:35 UTC
    A better method would be to hash the user's password into the DB

    This is the asymetric solution I've been reading about, right? Would this be a good place for Digest::MP5? Or can you suggest another? Thanks.


    —Brad
    "Don't ever take a fence down until you know the reason it was put up." G. K. Chesterton
[reply]

      For passwords, Digest::MD5 is fine, although for hashing longer texts you might use Digest::SHA1, as it uses a 160-bit key (vs. MD5's 128-bit).

      -b

[reply]
      I have a module to do this for a couple of websites: 
      ###########################
# use mapps;
#
# CREATE TABLE users (
#     auid int(10) unsigned NOT NULL auto_increment,
#     auname varchar(30) default NULL,
#     PRIMARY KEY  (auid)
# ) TYPE=MyISAM;
# 
# CREATE TABLE secrets (
#     auid int(10) unsigned NOT NULL auto_increment,
#     passwd char(40) NOT NULL default '',
#     salt int(11) NOT NULL default '0',
#     PRIMARY KEY  (auid)
# ) TYPE=MyISAM DEFAULT;
##########################

package Mapps::Auth;
use Exporter;
use Digest::SHA1;
use DBI;
use warnings;
use strict;
use vars qw($VERSION @ISA @EXPORT);

our $VERSION     = 1.00; 
our @ISA         = qw(Exporter);
our @EXPORT      = qw(&new &auth);

sub new {
    my $class = shift;
    my $self  = {};
    return bless $self, $class; 
}

sub auth {

    my ($self, $dbh1); 
    my $uname = shift;  
    my $passwd = shift;  
    my ($dbsecret, $salt, $uid);

    $dbh1 = DBI->connect('dbi:mysql:itiv', 'lwriter', '**I can't tell 
+you!') or die "Couldn't connect: $dbh1->errstr";
    # get secret from db
    my $statement="SELECT
    admin_users.auid,
    auname,
    passwd,
    salt
    FROM
    admin_users,
    secrets
    WHERE
    admin_users.auid=secrets.auid
    AND
    auname='$uname';";

    my $sth = $dbh1->prepare($statement) or die "Couldn't prepare stat
+ement: ".$dbh1->errstr;
    $sth->execute or die "Couldn't execute statement: ".$dbh1->errstr;

    while (my $ref = $sth->fetchrow_hashref){
        $dbsecret = $ref->{'passwd'};
        $salt     = $ref->{'salt'};
        $uid      = $ref->{'auid'};
    }
    
    # encrypts password using
    # SHA-1 algorithm
    my $sha1 = Digest::SHA1->new;

    # reset algorithm
    $sha1->hexdigest;

    # encrypt
    my $secret = Digest::SHA1::sha1_hex($passwd . $salt);    

    #die "$uid, $dbsecret, $secret, $salt ";
    # does generated secret match database secret?
    if ($secret eq $dbsecret){
        return (1, $uid);
    }
    return (0, $uid);
}
1;

      [download]

      Neil Watson
      watson-wilson.ca

[reply]
[d/l]

        Thanks, Neil for sharing that. I will take a closer look.


        —Brad
        "Don't ever take a fence down until you know the reason it was put up." G. K. Chesterton
[reply]
[d/l]
      To clarify, there are asymetric & symetric encryption algorithms, which is a seperate topic from hashes. Hashes are best defined as "one way" (you can hash it, but not unhash it), whereas encryption you can encrypt & decrypt it.

      On the other point, correct, Digest::MD5 (or other hashing solutions) are best used here. The timing is amazing, check out a current post MD5 - what's the alternative that discusses that hashing question.

      - jbWare
[reply]

In Section Seekers of Perl Wisdom