hi all, is it a good or bad idea to hash (SHA2) a password (with a salt) and then to encrypt the database with AES, in this scenario (assuming ssl for transporting the password from the client to the server for hashing before comparison) the hacker would need to decrypt the database THEN also crack the hash?
i’ve read a bit about hashing etc, i’ve heard not to hash twice etc, but not to hash and also encrypt that hash by encrypting the database
no lol, i just want to re-assure customers that they could if they wanted to they could not only hide certain identiable info, but also encrypt it, i’m going by the fact that if i want to develop any kind of social networking site, security should be paramount since it’s application is so important in light of recent news.
i may eventually need to store credit card numbers yes, but if that can be done on the merchant (i.e paypal then) i don’t need to store them (minimising responsibility).
so is it a good idea?.. to: presalt : hash : previoussessionid(as post salt) -> encryption
I’m thinking SHA2 for the hashing with a blowfish salt… and AES for the encryption.
So back to the question, is it a good or bad idea (or is it pointless/redundant) to salt then hash then encrypt that salty hash?
(basically needing a key to decrypt a salted hash)
as well as https for the logged in session (as the compared password needs to be transported securely to the server to be hashed for comparison to the hashed password (which would need decrypting).
in structured english it would be like this:
set password aesencrypt( sha2crypt( password, blowfishsalt() ) )
(not sure how i’d break appart the salt from the hash, I assume the salt would be written to the database for that user record (again encrypted), I could even have the salt be regenerated everytime he logs in based on the session id.
If you want extra security, why not use OTP (One Time Password)?
I use http://www.phpgangsta.de/ as the basis for my implementation which again uses Google Authenticator (Android) and/or JAuth (for the desktop) to generate the one time password that is required when the user logs in (in addition to the usual username/password combo).
<?php
require_once( dirname(__FILE__).'/PHPGangsta/GoogleAuthenticator.php' );
class YiiOTP extends CApplicationComponent
{
public $secretkey; // er, should this really be public? <img src='http://www.yiiframework.com/forum/public/style_emoticons/default/tongue.gif' class='bbc_emoticon' alt=':P' />
private $_ga;
private function getGangsta() {
if ($this->_ga===null)
$this->_ga = new PHPGangsta_GoogleAuthenticator();
return $this->_ga;
}
public function verify($currentcode) {
return $this->getGangsta()->verifyCode($this->secretkey, $currentcode, 0); // 2 = 2*30sec clock tolerance;
}
public function printBarCode() {
print sprintf('<img src="%s"/>', $this->getGangsta()->getQRCodeGoogleUrl('Blog', $this->secretkey));
}
public function getToken() {
return $this->getGangsta()->getCode($this->secretkey);
}
public function generateSecretkey($randomkey) {
return $this->getGangsta()->createSecret();
}
}
public function rules()
{
return array(
// username and password are required
array('username, password, token', 'required'),
// rememberMe needs to be a boolean
array('rememberMe', 'boolean'),
// password needs to be authenticated
array('password', 'authenticate'),
// token needs to be verified
array('token', 'verifytoken')
);
}
And the validator:
public function verifytoken($attribute, $params)
{
if( !Yii::app()->authenticator->verify($this->token) )
$this->addError('token', 'Invalid token: ' . $this->token);
}
Well that is certainly a novel way of going about the security, I do like the idea, and I appreciate the time and effort you have given me jacmoe. As long as it can be implemented in such a way that the log-in process is a task that is not too weird.
Again, would it be also weird for me to hide all the security in the way I initially proposed? I know it may take server resources, but my site will only have at most a few thousand members and maybe only a few hundred logged in at any one time.
Of course, there maybe be a lot more guests at any one time.