Our database rights management is very strict, sensitive information development engineers could not see the password stored in plain text can not I?
No. Data stored in a database of faces many threats, there are application level, database level, operating system level, room level, staff level, want to be hundred percent not be stolen by hackers, it is very difficult.
If the password is then stored after being encrypted, so even dragged library, a hacker is difficult to obtain a user's plaintext password. We can say that the password is stored encrypted user account underpants system, its importance, the equivalent seam in your underwear you money when taking a trip alone, although you use them is not the probability, but the key moment they can help.
That example AES, the encryption password and then kept under encryption algorithm, and then when I need to decrypt the plaintext.
No. This involves how to save the encryption key used to decrypt, although with key general user information is stored separately, and there are some mature industry, a key storage solutions based on software or hardware. But as in that store user information, you do not want to disclose key hundred percent, impossible. In this way encrypted password, a hacker can reduce the probability of obtaining clear-text passwords. But the key once compromised, the user's plaintext password leaked it, not a good method.
In addition, user account system should not save the user's plaintext password, when the user forgets the password, provide the password reset function rather than retrieve your password.
HASH values of all saved passwords, such as MD5. Is not it?
Not all HASH algorithms can accurately say it should be Cryptographic Hash. Cryptographic Hash has the following characteristics:
- Given any size in any type of input, calculates the hash is very fast;
- Given a hash, the hash no way calculated corresponding input;
- Input do small changes, big changes will happen hash;
- There is no way to calculate the hash same two inputs;
Although not designed for the encrypted password, but the characteristics of such three 2,3,4 Cryptographic Hash very suitable used to encrypt the user password. Common Cryptographic Hash has MD5, SHA-1, SHA-2, SHA-3 / Keccak, BLAKE2.
Since 1976, the industry began using Cryptographic Hash encrypted user password, first seen in Unix Crypt. However, MD5, SHA-1 has been cracked, no longer suitable for saving passwords.
SHA256 value that I save user passwords.
No. Hackers can use a lookup table or rainbow tables to crack user passwords. Note to crack the password is not cracked sha256, sha256 able to crack the code in accordance with reason is that users often need a password brain memory, manual input, it will not be too complex, often have a limited length, to determine the value of space.
Short of the value of a simple password can be cracked with a look-up table
For example, 8-digit password, a total of only 10 ^ 8 = 100,000,000 kinds possible. One hundred million is not that much data, hackers can advance it 0-99999999 calculate all of sha256, sha256 and to make key password value is stored as a lookup table, when given sha256 need to hack, you can query from the table .
Value is relatively complicated and longer length password can be cracked with rainbow table
Such as 10, allowing numbers, letters-sensitive passwords, a total of (10 + 26 + 26) = 84 ^ 10 to quadrillion possible to record very much difficult to hold all the lookup table together. This time hackers will use technology called rainbow tables to crack, rainbow tables with the idea of a typical computer world problem solving, time and space compromise.
In this instance inside, space is not enough, then spend some time. Rainbow table, all sha256 value may be converted to the same length as several pieces of hash chains, save only the head and tail hash chain, when the break first check to give sha256 exists in which of the hash chain, then calculated that a All sha256 on the hash chain through real-time comparison to crack user passwords.
Shows a view of the chain length of rainbow hash table 3, since the need to use the hash value in the hash chain, the R function code value mapped back into space, in order to reduce the collision probability function of R, a length of the hash chain K, rainbow tables are of k R function, because each iteration map back to the R function using the password space is not the same, this method is called crack rainbow table attacks.
Hash chain than the actual situation is longer than the previous example, such as in our example all 8.4 billion one hundred million sha256 save any, may be converted to 84000000000 length of 1 million sha chain. Rainbow table principle interested, you can read it in the Wikipedia.
On the Internet and even some have computed rainbow tables can be used directly, so the store user passwords sha256 is very unsafe.
How to avoid rainbow table attack?
Simply speaking, it is salt. In general, the user password is a string key, salt is our generation's string salt. We saved the original key is the hash value HASH (key), and now we save key and salt spliced together hash value HASH (key + salt).
Such hackers advance computing to generate rainbow tables, it all fails.
Salt should be how to generate, generate a random string?
That's a good question, and not add salt to be safe, to form a salt of a lot of stress.
Use CSPRNG (Cryptographically Secure Pseudo-Random Number Generator) salt formation, instead of the normal random number algorithm;
CSPRNG algorithm to generate random numbers with the ordinary, such as C language standard library inside the rand () method, we are very different. As its name suggests, CSPRNG is encryption security, which means that it generates a random number with more random and unpredictable. Common programming languages provide CSPRNG, as follows:
Salt can not be too short
Think principle lookup tables and rainbow tables, if the salt is very short, that means the password + salt composed of a string of length and value space is limited. Hackers can + all combinations of salt build a rainbow table for the password.
Salt can not be reused
If all user passwords are encrypted using the same salt. So no matter how complex salt, how much length, hackers can easily use this to re-establish a fixed rainbow table salt, cracked all of your users' passwords. If you say, I can save up fixed salt, let others know ah, then you should re-read my answer about why not safe enough to use AES encryption.
Even if you generate a random salt for each user, security is still not enough, because the salt when users change passwords reused. It should be every time you need to save the new password, generates a new salt and stored together with the encrypted hash value.
Note: Some systems use a different field each user, uid, phone number or anything else, as the salt encryption password. This is not a good idea, which is almost contrary to the rules of all three salt generated above.
That HASH algorithm design myself a hacker does not know, so those of you on crack method are ineffective.
Not.
First, if you're not a cryptography expert, it is hard to design a secure hash algorithm. Not satisfied, you can see it again on Cryptographic Hash I described above, and then think about how their own design an algorithm to meet all four of its properties. Even if you are up design is based on the existing foundation of Cryptographic Hash, after the design is, it is difficult to ensure that the new algorithm Cryptographic Hash still meet the requirements. Once your algorithm does not meet safety requirements, the more ways you give hackers easier to crack user passwords.
Even if you can design a people do not know Cryptographic Hash algorithm, you can not guarantee the hacker never know your algorithm. Hackers often have the ability to access your code, or think Kirk Hough Shannon kilometers principle:
Password system should be everyone know that even if the operation step system is still safe.
For each of the different passwords are coupled with high-quality salt, do HASH, then save it. Would that be right?
Used to be possible, now I can not. The rapid development of computer hardware, a modern general-purpose CPU can calculate the sha256 at a rate millions of times per month, while the GPU cluster computing sha256, is up to more than 10 billion times per second. This makes it possible to brute force passwords, hackers are no longer dependent on a lookup table or rainbow tables, but through the use of custom hardware and proprietary algorithms to calculate every possible direct, real-time crack user passwords.
then what should we do? Recall that described above with respect Cryptographic Hash characteristic, wherein the first:
Given any size in any type of input, calculates hash very fast
Cryptographic Hash encryption password is not designed for, it computes very fast this feature is very useful in other application scenarios, and computer hardware in the current conditions, it is used to encrypt passwords inappropriate. On this point, cryptographers have devised PBKDF2, BCRYPT, SCRYPT such as Hash algorithm used to encrypt passwords, called Password Hash. Within their algorithms often we need to compute Cryptographic Hash many times, slowing the speed of computing Hash, increasing the cost of brute force hacking. Password Hash can be said that there is a design principle that the calculation process can be slow as required, and is not likely to be hardware accelerated.
Which Password Hash should be used?
PBKDF2, BCRYPT, SCRYPT once the three most commonly used passwords Hash algorithm, as to which algorithm best years cryptographers were not conclusive. But it is certain that these three algorithms are not perfect, and disadvantages. Wherein PBKDF2 calculation process requires less memory because it may be GPU / ASIC acceleration, bcrypt does not support memory footprint FPGA accelerated and easily adjusted, the adjustment does not support individual SCRYPT computing time or memory, and may be occupied and have bypassed ASIC accelerated attack possible.
2013 NIST (National Institute of Standards and Technology) invited some cryptographers together, organized a cryptographic hash algorithm contest (Password Hashing Competition), intended to find a standard hash algorithm used to encrypt passwords, and to promote the importance of encryption to store user passwords in the industry. Contest entries are listed attacks algorithm may face:
- To break the encryption algorithm (cost reduction, the hash collision, i.e., 2,3,4 article should meet the characteristic Cryptographic Hash);
- Lookup tables / rainbow table attack;
- CPU optimization attacks;
- GPU, FPGA, ASIC and other special hardware attacks;
- Bypass attack;
Final in July 2015, Argon2 algorithm won this competition, NIST has been identified as the best password hash algorithm. However, because the algorithm is too new, there have not heard Which big companies are doing with password encryption Argon2.
Ask all the way over tired, can you give me an example, how big is encrypted user passwords?
This year (2016) Dropbox part of the user password data breaches have occurred, it was CTO said they are confident of their way to encrypt passwords, user trust. Subsequently, Dropbox published an article entitled "How Dropbox securely stores your passwords" in its official technical blog, about their user password encryption storage solutions.
As shown above, Dropbox first made a user password hashed password sha512 into 64 bytes, then use the results of sha512 Bcrypt algorithm (each user independently salts, intensity 10) is calculated, and finally using AES algorithm and the globally unique key encryption algorithm Bcrypt results and save.
Blog post, Dropbox describes the reason three layers of encryption:
First use sha512, user password normalized 64-byte hash value. For two reasons: one is the operator to enter sensitive Bcrypt, longer if the password entered by the user, may result in too slow to affect Bcrypt calculated response times; the other is a long input will achieve some Bcrypt algorithm directly truncated to 72 bytes , speaking from the perspective of information theory, entropy user information which leads to smaller;
Then use Bcrypt algorithm. Select reason Bcrypt is Dropbox engineers to tune the algorithm is more familiar with the more experienced, parameter selection criteria are online Dropbox API server can calculate the results in about 100ms. In addition, on Bcrypt and Scrypt which algorithm better, cryptographers also inconclusive. Meanwhile, Dropbox is also concerned about the cryptographic hash algorithm rookie Argon2, and that will be introduced at the right time;
Finally, using AES encryption. Because Bcrypt algorithm is not perfect, so Dropbox using AES and global key to further reduce the risk of your password being compromised, in order to prevent leakage of the key, Dropbox uses a dedicated hardware key storage. Dropbox also mentioned another benefit of the final use AES encryption, that key can be replaced regularly to reduce the risk of user information / key compromise brings.