I will take example of my case . I am using PostgreSql .I have gone through postgresql crypt() function documentation .
This function is provided as extension for postgresql .
If i migrate my data to another database by different vendor , Will the passwords still be evaluated properly or not ?.
If i try to compare the the hash generated in postgresql with hashing utilites provided by mysql/mongodb using same source string will it evaluate to be equal or not
According to docs, crypt()
Calculates a crypt(3)-style hash of password. When storing a new
password, you need to use gen_salt() to generate a new salt value. To
check a password, pass the stored hash value as salt, and test whether
the result matches the stored value.
It means if you migrate your data to another database (if stored hash value is part of your data of course), the result of comparison will not depend on the system.
Can you move up the encryption/decryption to the application level? In that case, you can migrate data as encrypted and other database vendor don't need to worry would consider them as normal data?
Another option is to encrypt disk level instead of applying encryption at a database level.
After going through lot of posts it came to me that encrypting at application layer is better . like for example to encrypt passwords in java, we can use jBcrypt library .
Related
Okay, I have an extremely basic knowledge on how to make a secure, login system.
If you try to login, you get the attempted password, hash it to example md5, try to match the hashed password with the password stored on some sort of database/server (also hashed).
When registering it stores the md5 hash on the server, but NOT the original. So even if it's breached it's untraceable. (Even though there are services that have a database of hashes, and can attempt to reverse).
My problem is: How to store the hash? If i used a mysql database, it would have the details hard coded inside, and I don't code in php so can't really make an online one.
How would I hide the mysql credentials in my software?
Don't generate your own salts.
Research PHP password_hash and password_verify functions, which do pretty much all you ask, automatically and fairly securely in PHP 5.5+.
http://php.net/manual/en/function.password-hash.php
Also
http://php.net/manual/en/faq.passwords.php
You can also use this on PHP 5.3 with a good fix made by IRCMaxwell. Here: https://github.com/ircmaxell/password_compat
MD5 has been severely compromised and there are various rainbow tables and collision functions that can find out what an MD5 hash string originally was (down to a handful of options, which are peanuts to compute). Do Not use MD5 for hashing private data.
"How to store the hash"
By Storing the hash I think you mean that you want to store the:
$hash = md5($password_plaintext');
if this is so, then you can store this in a MySQL VARCHAR field, on the record, typically people submit login info with a username password so the username is used for the MySQL engine to find the row, and then the password hashes are compared to see if they match.
Using password_hash(), you would look up the username, then retrieve the associated password hash field value (just that value), and then compare the hash with the plaintext password from the form with:
if(password_verify($posted_login_password_plaintext, $hashfromDatabase)){
//if TRUEPassword matches.
}
That's all you need. You do not need and actually should not store any salts for hashing with.
When you use the DES_ENCRYPT/DES_DECRYPT function in mySQL you can point to your keyfile from my.cnf using the --des-key-file variable.
I thought this should also exist for
AES_ENCRYPT/AES_DECRYPT
So I searched for hours but couldn't find it: is there an equivalent for AES for this?
As far as I can tell from the documentation, no such option exists for AES_ENCRYPT. Instead, you are supposed to pass the key as a parameter directly in the query.
This answer on DBA.SE suggests writing a User Defined Function that returns the key as one possible work-around.
Alternatively, you might want to consider not using the MySQL AES functions at all, and instead just doing all encryption and decryption in the client application. One potential advantage of such an approach is that, in order to obtain and decrypt the data, an attacker then needs to compromise both your database and your application.
I'm working with a web application and I want to get the hash value of the text which is saved in a MySQL database table,I'm new to this field and I'm using Spring-MVC for the web application,can any one please help me?
By hash, are you talking about any specific hashing function? A common one that you can use is md5, which mysql supports:
select md5(some_column) from some_table;
Here's a link to the reference: Mysql Reference/Encryption Functions
I have a bunch of hashed passwords pbkdf2_sha256$10000$0POUvc6y8M4z$QyldL9qyQO.... Is it possible to verify them in SQL queries? Don't ask why.
Usually database systems do not support this kind of hash functions on their own. It would be difficult to write the queries anyway, because the password hashes are not searchable. To verify a password with its hash-value following steps are necessary:
Search for the row by username (cannot be done by the hash-value).
Return the password-hash from the found row.
Extract the used salt and the cost factor from the stored password-hash.
Build a new hash-value from the entered password with the same salt and cost factor.
Compare the stored hash-value and the new calculated one.
That means, you first have to know the stored hash-value, before you can verify the entered password with it. Such a hash function is surely better placed in the development language, than in the database, especially when you later have to switch the algorithm or the cost factor and need backwards compatibility.
I am trying to encrypt and decrypt the data using SHA 5 in mysql. I am able to encrypt the data but unable to decrypt it. How can I achieve the decrption of SHA5 encrypted data in mysql.
What do you exactly want to do ? As Michael says, you will not be able to reverse a hash. We use hash when we want hide the real information and never decrypt it. If you want to decrypt it, then use an inversible function.
Hash algorithms (SHA = secure hash algorithm) are one way. You can use then to verify information such as a password by checking that the password entered, when SHA'd, equals the encrypted version on record. You can't decrypt with it though.