Working with Dynamic Cryptography Salts

Wildhoney · 09-20-2007, 09:53 AM

In a previous article which can be viewed here, I made it rather clear that cryptography salts are crucial when using MD5 or SHA1 algorithms. This prevents the hash string from being an easily recognisable hash string. In the article we also mentioned the 2 ways of going about salts: dynamically and statically.

Your members table would have the following columns:

id tinyint(8)
username varchar(16)
salt char(5)
password char(32)

You would generate a random ID when the user registered (see article on generating random strings - remember though that a salt does not need to be unique) and store it along with their personal credentials in the database. Upon user registration, you will want to generate the hash algorithm for the password field with the randomly generated salt and then store it.

Now when a user comes to log in you can issue the SQL statement shown below. This will take the salt from the row where the user name matches, and MD5 it along with the password they entered. It will then be checked against the hash string in the database.

Code:

SELECT
	username
FROM
	members
WHERE
	password = MD5(CONCAT(salt, 'buddha'))

The above code is what you would use to log a user into your system. Simple!

Salathe · 09-20-2007, 10:15 AM

If you want to create the salt within the SQL query itself you could use something along the lines of:

LEFT(MD5(RAND()), 5) or even better,
LEFT(MD5(UUID()), 5)

Note that there is no requirement to limit the salt string to only 5 characters. Why not make the salt a 32 character MD5 string (remove the LEFT() from the SQL above)?

Wildhoney · 09-20-2007, 10:38 AM

It's just a case of finding that nice comfort zone between the column length and being able to generate MD5 and SHA1 strings on-the-fly by prepending salts as well. To be fair a 32 bit string would be somewhat overkill, 5 is a nice number because it adds thousands of more possibilities to being able to generate the same string.

For instance, if spider is our common word and we want to generate the hash string for spider with salts prepended:

a - spider
A - spider
aa - spider
AA - spider
Aa - spider
aA - spider
etc...

As you can see, even 2 is going to give you a lot of possibilities.

Salathe · 09-20-2007, 11:21 AM

I agree with you completely, even with 5 characters (using MD5) there are over 1,000,000 available salt combinations to work through per row. Why waste precious bytes on superfluous characters. For 32 characters (a full MD5 string in hex.) there are over 3, 400, 000, 000, 000, 000, 000, 000, 000, 000, 000, 000, 000, 000 combinations. Overkill, sure! :)

Tanax · 11-22-2007, 03:08 PM

So.. would this be a good way??

php Code:

public function user_check($user_name, $user_pass) {
            
            $sql = sprintf("    SELECT 
                                    `%s` 
                                FROM 
                                    `%s` 
                                WHERE 
                                    `%s` = '%s' AND `%s` = '%s'
                                LIMIT 1", 
                                
                                $this->db->col['user_id'],
                                $this->db->table['users'],
                                $this->db->col['user_name'],
                                $user_name,
                                $this->db->col['user_pass'],
                                md5(CONCAT($this->db->col['user_salt'], $user_pass)));
                                
            $query = $this->db->query($sql);
            
            if(mysql_num_rows($query)) {
                
                $user_info = $this->db->fetch($query);
                
                return $user_info['user_id'];
                
            }
            
            else {
                
                return false;
                
            }

(please make the highlight thing work so you only have to write [ php ] code [ / php ] :( )

EDIT: I know I haven't secured it .. but I'm not done with that yet ;)

Andrew · 11-22-2007, 04:59 PM

Instead of using some generic word or letter combination for the salt, is using something such as the username, date registered, etc. a good way to get a salt for a password?

bluesaga · 11-22-2007, 10:13 PM

Why not just make it secure as you code it, it is far more efficient to code efficiently than go back and change things after!

Wildhoney · 11-22-2007, 11:09 PM

Technically speaking a load of junk for the salt is more secure than another dictionary word for the very reason that it adds a lot more possibilities, especially if you include non-alphanumerical characters as well. That way, even the supercomputers would find it strenuous to generate every single permutation.

Tanax · 11-23-2007, 07:25 AM

Well, the CONCAT didn't work :S:S

Salathe · 11-23-2007, 12:52 PM

CONCAT is a MySQL function and must be a part of your query string, not called directly in PHP.

Tanax · 11-23-2007, 01:18 PM

And how would I solve that then? :S:S:S

Because the CONCAT is within md5, and md5 is a PHP command.. so ?? :S

Wildhoney · 11-23-2007, 01:24 PM

You use it just like I used it in the MySQL

sql Code:

SELECT
    username
FROM
    members
WHERE
    password = MD5(CONCAT(salt, 'buddha'))

Essentially it calls the MD5 function which says, "Aha! I need to concatenate the salt with the word buddha before I MD5 them." It then sticks the 2 together and proceeds to MD5 them together. Then when matching the password, just include the salt again which should be stored as plain-text in another column.

Tanax · 11-23-2007, 01:48 PM

So like this?

php Code:

$sql = sprintf("    SELECT 
                                    `%s` 
                                FROM 
                                    `%s` 
                                WHERE 
                                    `%s` = '%s' AND `%s` = md5(CONCAT(`%s`, '%s'))
                                LIMIT 1", 
                                
                                $this->db->col['user_id'],
                                $this->db->table['users'],
                                $this->db->col['user_name'],
                                $user_name,
                                $this->db->col['user_pass'],
                                $this->db->col['user_salt'],
                                $user_pass);

Salathe · 11-23-2007, 03:58 PM

Just to clarify, MD5 is also a function name available within MySQL. It does exactly the same thing as PHP's md5 function.

Tanax · 11-23-2007, 06:19 PM

Ahh, I see :D

Thanks a lot :)
God, I've learned so much new today xDD