Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

An Introduction to Hashing and Salting

766 visualizaciones

Publicado el

An Introduction to Hashing and Salting - Secure way of Storing User Credentials

Publicado en: Tecnología

An Introduction to Hashing and Salting

  1. 1. Secure way of Storing User Credentials An Introduction to Hashing and Salting
  2. 2. Why do I need a password anyway?
  3. 3. Why do I need a password anyway? Personal Computers If someone else gains access to your account, they may cause you a great deal of trouble ● Deleting your files ● Using it to hack other systems, ● Forging e-mail purporting to come from you
  4. 4. Why do I need a password anyway? (Web Scenario) ● Identifying Users ● Authenticating users for specific areas ● Securing user specific data from other users.
  5. 5. Password on the web - The Problem ● If you have something that is accessible on the web, it can be retrieved.
  6. 6. Lets try to hack a site for Passwords ● SQL Injection Demo
  7. 7. What should be done? ● Storing passwords in such a way that even if users somehow get hold of password hashes they should not be able to extract the passwords out of them.
  8. 8. Storing Passwords as Plain Text ● ● ● There is no security at all Anyone who has access to the database can easily get to know the password of all the users. Even a small part of application that is prone to Sql injection can reveal the password of all the users.
  9. 9. Storing Encrypted Passwords ● The good This approach is better than storing the passwords in plain text. ● The Bad If someone knows the encryption algorithm and the secret key that was used for encryption then he could decrypt the passwords easily
  10. 10. What is Hashing ● ● Hashing is the process of generating a number or a unique string for a larger string message. The hash for every string message should be unique and there is no way the original message can be reproduced from its hash value.
  11. 11. Storing Password Hashes – The Good ● ● ● So the even better approach would be to store the password hashes in the table. This way there is no way to regenerate the password from the hash. Whenever the user tries to log in, we will generate the hash for the password using the same hashing algorithm and then compare it with the hash stored in the database to check whether the password is correct or not.
  12. 12. Storing Password Hashes – The Bad The problem here is that the user1 and user4 choose the same password and thus their generated password hash is also same.
  13. 13. Could we not device a technique which will store provide us all the benefits of hashing and will also remove the limitations associated with it?
  14. 14. Salting and Hashing of Passwords ● ● Salting is a technique in which we add a random string to the user entered password and then hash the resulting string. Even if two people have chosen the same password, the salt for them will be different.
  15. 15. Lets visualize it Even though the user1 and user4 has chosen same password their salt value is different and thus the resultant hash value is also different.
  16. 16. User Creation Process 1. User enters a password. 2. A random salt value is generated for the user. 3. The salt value is added to the password and a final string is generated. 4. The hash for the final string is calculated. 5. The hash and the salt is stored in the database for this user.
  17. 17. User tries to log in 1. User enters his user id. 2. The user is used to retrieve the users password hash and salt stored in the database. 3. The user enters his password. 4. The retrieved salt is added to this password and a final string is generated. 5. The hash for the final string is calculated. 6. This calculated hash is compared with the hash value retrieved from the database. 7. If it matches the password is correct otherwise not.
  18. 18. References ● ● http://www.codeproject.com/Articles/608860/A-Beginners-Tutor Self Pace training kit (MCTS 70-516) – Chapter 8, Lesson 3.

×