 |
Account Login
|
 |
|
Latest Articles
|
|
|
Advertisement
|
|
|
Associates
|
|
|
Associates
|
|
|
 |
|
|
|
09-20-2007, 10:53 AM
|
#1 (permalink)
|
|
La Vida es Sueño
Join Date: Sep 2007
Location: Oldham
Posts: 1,587
Thanks: 72
|
Working with Dynamic Cryptography Salts
In a previous article which can be viewed here, I made it rather clear that cryptography salts are crucial when using MD5 or SHA1 algorithms. This prevents the hash string from being an easily recognisable hash string. In the article we also mentioned the 2 ways of going about salts: dynamically and statically.
Your members table would have the following columns:
- id
tinyint(8)
- username
varchar(16)
- salt
char(5)
- password
char(32)
You would generate a random ID when the user registered (see article on generating random strings - remember though that a salt does not need to be unique) and store it along with their personal credentials in the database. Upon user registration, you will want to generate the hash algorithm for the password field with the randomly generated salt and then store it.
Now when a user comes to log in you can issue the SQL statement shown below. This will take the salt from the row where the user name matches, and MD5 it along with the password they entered. It will then be checked against the hash string in the database.
Code:
SELECT
username
FROM
members
WHERE
password = MD5(CONCAT(salt, 'buddha'))
The above code is what you would use to log a user into your system. Simple!
__________________
The man who comes back through the Door in the Wall will never be quite the same as the man who went out.
|
|
|
|
09-20-2007, 11:15 AM
|
#2 (permalink)
|
|
Moderateur
Join Date: Apr 2007
Posts: 713
Thanks: 2
|
If you want to create the salt within the SQL query itself you could use something along the lines of: LEFT(MD5(RAND()), 5) or even better,
LEFT(MD5(UUID()), 5)
Note that there is no requirement to limit the salt string to only 5 characters. Why not make the salt a 32 character MD5 string (remove the LEFT() from the SQL above)?
__________________
|
|
|
|
|
09-20-2007, 11:38 AM
|
#3 (permalink)
|
|
La Vida es Sueño
Join Date: Sep 2007
Location: Oldham
Posts: 1,587
Thanks: 72
|
It's just a case of finding that nice comfort zone between the column length and being able to generate MD5 and SHA1 strings on-the-fly by prepending salts as well. To be fair a 32 bit string would be somewhat overkill, 5 is a nice number because it adds thousands of more possibilities to being able to generate the same string.
For instance, if spider is our common word and we want to generate the hash string for spider with salts prepended:
- a - spider
- A - spider
- aa - spider
- AA - spider
- Aa - spider
- aA - spider
- etc...
As you can see, even 2 is going to give you a lot of possibilities.
__________________
The man who comes back through the Door in the Wall will never be quite the same as the man who went out.
|
|
|
|
|
09-20-2007, 12:21 PM
|
#4 (permalink)
|
|
Moderateur
Join Date: Apr 2007
Posts: 713
Thanks: 2
|
I agree with you completely, even with 5 characters (using MD5) there are over 1,000,000 available salt combinations to work through per row. Why waste precious bytes on superfluous characters. For 32 characters (a full MD5 string in hex.) there are over 3, 400, 000, 000, 000, 000, 000, 000, 000, 000, 000, 000, 000, 000 combinations. Overkill, sure! :)
__________________
|
|
|
|
|
11-22-2007, 04:08 PM
|
#5 (permalink)
|
|
The Gregarious
Join Date: Sep 2007
Posts: 683
Thanks: 85
|
So.. would this be a good way??
php Code:
public function user_check ($user_name, $user_pass) { $sql = sprintf(" SELECT
`%s`
FROM
`%s`
WHERE
`%s` = '%s' AND `%s` = '%s'
LIMIT 1", $this-> db-> col[ 'user_id'], $this-> db-> table[ 'users'], $this-> db-> col[ 'user_name'], $user_name, $this-> db-> col[ 'user_pass'], md5(CONCAT ($this-> db-> col[ 'user_salt'], $user_pass))); $query = $this-> db-> query($sql); if(mysql_num_rows($query)) { $user_info = $this-> db-> fetch($query); return $user_info[ 'user_id']; } else { return false; }
(please make the highlight thing work so you only have to write [ php ] code [ / php ] :( )
EDIT: I know I haven't secured it .. but I'm not done with that yet ;) |
|
|
|
|
11-22-2007, 05:59 PM
|
#6 (permalink)
|
|
The Acquainted
Join Date: Sep 2007
Location: Arizona
Posts: 114
Thanks: 10
|
Instead of using some generic word or letter combination for the salt, is using something such as the username, date registered, etc. a good way to get a salt for a password?
|
|
|
|
|
11-22-2007, 11:13 PM
|
#7 (permalink)
|
|
Super Moderator
Join Date: Sep 2007
Posts: 164
Thanks: 0
|
Why not just make it secure as you code it, it is far more efficient to code efficiently than go back and change things after!
|
|
|
|
|
11-23-2007, 12:09 AM
|
#8 (permalink)
|
|
La Vida es Sueño
Join Date: Sep 2007
Location: Oldham
Posts: 1,587
Thanks: 72
|
Technically speaking a load of junk for the salt is more secure than another dictionary word for the very reason that it adds a lot more possibilities, especially if you include non-alphanumerical characters as well. That way, even the supercomputers would find it strenuous to generate every single permutation.
__________________
The man who comes back through the Door in the Wall will never be quite the same as the man who went out.
|
|
|
|
|
11-23-2007, 08:25 AM
|
#9 (permalink)
|
|
The Gregarious
Join Date: Sep 2007
Posts: 683
Thanks: 85
|
Well, the CONCAT didn't work :S:S
|
|
|
|
|
11-23-2007, 01:52 PM
|
#10 (permalink)
|
|
Moderateur
Join Date: Apr 2007
Posts: 713
Thanks: 2
|
CONCAT is a MySQL function and must be a part of your query string, not called directly in PHP.
__________________
|
|
|
|
|
11-23-2007, 02:18 PM
|
#11 (permalink)
|
|
The Gregarious
Join Date: Sep 2007
Posts: 683
Thanks: 85
|
And how would I solve that then? :S:S:S
Because the CONCAT is within md5, and md5 is a PHP command.. so ?? :S
|
|
|
|
|
11-23-2007, 02:24 PM
|
#12 (permalink)
|
|
La Vida es Sueño
Join Date: Sep 2007
Location: Oldham
Posts: 1,587
Thanks: 72
|
You use it just like I used it in the MySQL
sql Code:
SELECT
username
FROM
members
WHERE
password = MD5(CONCAT(salt, 'buddha'))
Essentially it calls the MD5 function which says, "Aha! I need to concatenate the salt with the word buddha before I MD5 them." It then sticks the 2 together and proceeds to MD5 them together. Then when matching the password, just include the salt again which should be stored as plain-text in another column.
__________________
The man who comes back through the Door in the Wall will never be quite the same as the man who went out.
|
|
|
|
|
11-23-2007, 02:48 PM
|
#13 (permalink)
|
|
The Gregarious
Join Date: Sep 2007
Posts: 683
Thanks: 85
|
So like this?
php Code:
$sql = sprintf(" SELECT
`%s`
FROM
`%s`
WHERE
`%s` = '%s' AND `%s` = md5(CONCAT(`%s`, '%s'))
LIMIT 1", $this-> db-> col[ 'user_id'], $this-> db-> table[ 'users'], $this-> db-> col[ 'user_name'], $user_name, $this-> db-> col[ 'user_pass'], $this-> db-> col[ 'user_salt'], $user_pass);
|
|
|
|
|
11-23-2007, 04:58 PM
|
#14 (permalink)
|
|
Moderateur
Join Date: Apr 2007
Posts: 713
Thanks: 2
|
Just to clarify, MD5 is also a function name available within MySQL. It does exactly the same thing as PHP's md5 function.
__________________
|
|
|
|
|
The Following User Says Thank You to Salathe For This Useful Post:
|
|
|
11-23-2007, 07:19 PM
|
#15 (permalink)
|
|
The Gregarious
Join Date: Sep 2007
Posts: 683
Thanks: 85
|
Ahh, I see :D
Thanks a lot :)
God, I've learned so much new today xDD
|
|
|
|
|
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
|
|
|
| Thread Tools |
Search this Thread |
|
|
|
| Display Modes |
 Linear Mode
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
|
