| Subject | RES: [firebird-support] Re: Encryption in firebird - Help |
|---|---|
| Author | Adam |
| Post date | 2004-12-21T22:29:53Z |
But you don't need reversible for that! In fact, that would be bad coding.
Let me give you a real example:
Presume you have a real Username and Password of:
SYSDBA / masterkey
(creative aren't I)
I have a UDF that returns the hash of a string.
So I store in my table
UserName: '6615EC329B99FD4CBF4B1226925B571FF6E0EAB231'
Password: '01DF2C3AA18CBBAF1ABED806A99360910E9246E20B'
I never need to reverse these strings, in fact you can't reverse them.
But if you try and pass in the username 'Adam', that will hash to
'9D6C31C0F5359C5B29130BC39A9D3E01AFEEB40A01', but every time
fb_hash('SYSDBA') is compared to
'6615EC329B99FD4CBF4B1226925B571FF6E0EAB231', it will pass.
This hash is based on SHA-1, and includes an extra string (to prevent
an attack using a pre-defined dictionary), as well as some randomised
'salt' characters at a mystery location within the string.
It also offers you some protection against an SQL injection attack, as
you are not going to get any meaningful SQL out of a hash.
The point is though, that you don't actually need to convert the
password back to compare it. As long as you hash the same string using
the same salt characters, it will return the same hash, so you just
compare the hash you have stored to the hash of whatever they type in.
Adam
--- In firebird-support@yahoogroups.com, "Carlos Arguilar"
<carlos_arguilar@y...> wrote:
Let me give you a real example:
Presume you have a real Username and Password of:
SYSDBA / masterkey
(creative aren't I)
I have a UDF that returns the hash of a string.
So I store in my table
UserName: '6615EC329B99FD4CBF4B1226925B571FF6E0EAB231'
Password: '01DF2C3AA18CBBAF1ABED806A99360910E9246E20B'
I never need to reverse these strings, in fact you can't reverse them.
But if you try and pass in the username 'Adam', that will hash to
'9D6C31C0F5359C5B29130BC39A9D3E01AFEEB40A01', but every time
fb_hash('SYSDBA') is compared to
'6615EC329B99FD4CBF4B1226925B571FF6E0EAB231', it will pass.
This hash is based on SHA-1, and includes an extra string (to prevent
an attack using a pre-defined dictionary), as well as some randomised
'salt' characters at a mystery location within the string.
It also offers you some protection against an SQL injection attack, as
you are not going to get any meaningful SQL out of a hash.
The point is though, that you don't actually need to convert the
password back to compare it. As long as you hash the same string using
the same salt characters, it will return the same hash, so you just
compare the hash you have stored to the hash of whatever they type in.
Adam
--- In firebird-support@yahoogroups.com, "Carlos Arguilar"
<carlos_arguilar@y...> wrote:
> At first, grateful all!
>
> I need a reversible routine. I have a table that stores a name (special
> user) and a password. This user is responsible sets free several special
> resources in my database app. I would like in a trigger, for instance, I
> can encrypt the password. Then, I would want decrypt.
>
> Howsoever, the answers are way. Thanks all.
>
> Best regards,
>
> Carlos Arguilar
>
> -----Mensagem original-----
> De: Adam [mailto:s3057043@y...]
> Enviada em: terça-feira, 21 de dezembro de 2004 10:20
> Para: firebird-support@yahoogroups.com
> Assunto: [firebird-support] Re: Encryption in firebird - Help
>
>
> What are you trying to protect? If you are just trying to hide
> passwords so they are not in plain text, then you do not need
> encryption, only a hash algorithm like SHA-1 or MD5. Hashing is
> simple, because you don't have to manage public and private keys.
> There is also no way to "break" a hashing algorithm unless you use a
> brute force approach.
>
> Is this what you need, or do you need something that is reversible
> into the original string?
>
> --- In firebird-support@yahoogroups.com, "carlos_arguilar"
> <carlos_arguilar@y...> wrote:
> >
> > Hello!
> > I have a table in my database that has a field that need
> encryption.
> > I have wrote a UDF, however, it don't work very well on firebird.
> > Anyone know a routine be able such a thing.
> > Please, help me.
> > Regards,
> > Carlos Arguilar
>
>
>
>
>
>
>
> Yahoo! Groups Sponsor
>
>
> ADVERTISEMENT
>
> <http://us.ard.yahoo.com/SIG=129oi17k0/M=295196.4901138.6071305.3001176/
> D=groups/S=1705115386:HM/EXP=1103717984/A=2128215/R=0/SIG=10se96mf6/*htt
> p:/companion.yahoo.com> click here
>
>
> <http://us.adserver.yahoo.com/l?M=295196.4901138.6071305.3001176/D=group
> s/S=:HM/A=2128215/rand=806965071>
>
> _____
>
> Yahoo! Groups Links
> * To visit your group on the web, go to:
> http://groups.yahoo.com/group/firebird-support/
>
> * To unsubscribe from this group, send an email to:
> firebird-support-unsubscribe@yahoogroups.com
> <mailto:firebird-support-unsubscribe@yahoogroups.com?subject=Unsubscribe
> >
>
> * Your use of Yahoo! Groups is subject to the Yahoo! Terms of
> <http://docs.yahoo.com/info/terms/> Service.
>
>
> [Non-text portions of this message have been removed]