On the site there is a registration. After registering, all user data falls into the USERS table. Also there is a password in the form of a normal string, which is wrong. How can I encrypt him?
Answer 1, Authority 100%
Hashing VS Encryption.
First you need to understand that hashing is not encryption. The password having on the client does not replace encryption, and does not allow to protect against the interception of traffic. When transmitting and password / his hash (if you really want to write a bike on JS) in no way does not replace encryption. You It is worth Use HTTPS. All other ways, including self-written asymmetric encryption – Unreliable .
password hashing
Hatch protects only from database leakage from the base. The main problem with such a leak – the ability to restore hash passwords and use them for Password Reuse Attack – try to go with the same email / username / password to popular services. For example, on github . Those. You will force users not only to change the password to your service, but also change the password for all other services (yes, it’s not good to use the same password everywhere, but everyone does it!)
From this directly follow the requirements for hashing:
- The villain should not be able to quickly restore popular passwords in hash. Using the popular MD5 / SHA1 allows you to quickly restore passwords.
5F4DCC3B5AA765D61D8327DEB882CF99Decipheres from the first time any online service. - The villain should not have the ability to restore passwords for all users immediately. The same password used by different users should give different hash. This will increase the time for decoding in proportion to the number of users.
There is a reliable standard way to solve both problems immediately – Key Derivation Function (Key formation function ).
Essence of solutions:
- with initial hashing to generate random value – salt, and count the hash from “salt + password.” Used salt to store as part of the result.
- When checking the password – to have a “salt + checked password”, and compare with the value obtained in (1).
This approach gives different meanings even if one user uses the same password twice.
In .NET there are ready-made KDF cutting, for example RFC2898DERIBYES . It is used as follows:
Hashing:
Public Staring String HashPassword (String Password)
{
Byte [] Salt;
Byte [] Buffer2;
if (Password == NULL)
{
Throw New ArgumentNullexception ("Password");
}
Using (RFC2898DeriveBytes Bytes = New RFC2898DeriveBytes (Password, 0x10, 0x3e8))
{
Salt = bytes.salt;
buffer2 = bytes.getbytes (0x20);
}
byte [] dst = new byte [0x31];
Buffer.blockcopy (SALT, 0, DST, 1, 0X10);
Buffer.blockcopy (buffer2, 0, dst, 0x11, 0x20);
Return convert.tobase64String (DST);
}
Check
Public Static Bool VerifyhashedPassword (String Hashedpassword, String Password)
{
BYTE [] Buffer4;
if (hashedpassword == null)
{
RETURN FALSE;
}
if (Password == NULL)
{
Throw New ArgumentNullexception ("Password");
}
byte [] src = convert.frombase64String (Hashedpassword);
if ((src.length! = 0x31) || (src [0]! = 0))
{
RETURN FALSE;
}
byte [] dst = new byte [0x10];
Buffer.blockcopy (SRC, 1, DST, 0, 0X10);
BYTE [] Buffer3 = New Byte [0x20];
Buffer.blockcopy (src, 0x11, buffer3, 0, 0x20);
Using (RFC2898DeriveBytes Bytes = New RFC2898DeriveBytes (Password, DST, 0x3E8))
{
buffer4 = bytes.getbytes (0x20);
}
Return BytearraySequal (Buffer3, Buffer4);
}
Code taken from Enso: ASP.Net Identity Default Password Hasher, How Does It Work and Is It Secure?
Answer 2
On Sharpe Hush, you can count somehow like this:
Public Static String Gethash (String Password)
{
Using (var hash = sha1.create ())
{
Return String.concat (encoding.utf8.getbytes (password). SELECT (X = & GT; X.Tostring ("x2")));
}
}
Instead of SHA1, any algorithm is suitable, including MD5.
You must understand that for an attacker it is not a delay at all, especially if you allow you to access Hesh yourself – then no difference, underground password or his hash.
Answer 3
did it with this method:
Public String Calculatemd5Hash (String Input)
{
// Step 1, Calculate MD5 HASH FROM INPUT
MD5 MD5 = System.Security.cryptography.md5.create ();
Byte [] inputBytes = System.Text.Encoding.ascii.GetBytes (Input);
byte [] hash = md5.computehash (inputBytes);
// Step 2, Convert Byte Array to Hex String
STRINGBUILDER SB = new stringbuilder ();
for (int i = 0; i & lt; hash.length; i ++)
{
SB.APPEND (HASH [I] .Tostring ("x2"));
}
Return sb.tostring ();
}
Answer 4
As option MD5
var md5 = function (string) {
FUNCTION ROTATELEFT (LVALUE, ISHIFTBITS) {
Return (LVALUE & LT; & LT; ISHIFTBITS) | (LVALUE & GT; & GT; & GT; (32-IShiftBits));
}
Function Addunsigned (LX, LY) {
VAR LX4, LY4, LX8, LY8, LRESULT;
LX8 = (LX & amp; 0x80000000);
Ly8 = (Ly & amp; 0x80000000);
lx4 = (LX & amp; 0x40000000);
LY4 = (LY & AMP; 0x40000000);
LRESULT = (LX & amp; 0x3FFFFFFF) + (Ly & amp; 0x3FFFFFFF);
if (LX4 & amp; LY4) {
RETURN (LRESULT ^ 0x80000000 ^ LX8 ^ LY8);
}
if (LX4 | LY4) {
If (Lresult & amp; 0x40000000) {
RETURN (LRESULT ^ 0xc0000000 ^ LX8 ^ LY8);
} else {
RETURN (LRESULT ^ 0x40000000 ^ LX8 ^ LY8);
}
} else {
RETURN (LRESULT ^ LX8 ^ LY8);
}
}
FUNCTION F (X, Y, Z) {RETURN (X & AMP; Y) | ((~ x) & amp; z); }
FUNCTION G (X, Y, Z) {RETURN (X & AMP; Z) | (y & amp; (~ z)); }
FUNCTION H (X, Y, Z) {RETURN (X ^ Y ^ Z); }
FUNCTION I (X, Y, Z) {RETURN (Y ^ (x | (~ z))); }
FUNCTION FF (A, B, C, D, X, S, AC) {
a = addunsigned (A, AddunSigned (Addunsigned (F (B, C, D), X), AC));
Return Addunsigned (Rotateleft (A, S), B);
};
Function GG (A, B, C, D, X, S, AC) {
a = addunsigned (A, AddunSigned (Addunsigned (G (B, C, D), X), AC));
Return Addunsigned (Rotateleft (A, S), B);
};
Function HH (A, B, C, D, X, S, AC) {
a = addunsigned (A, Addunsigned (Addunsigned (H (B, C, D), X), AC));
Return Addunsigned (Rotateleft (A, S), B);
};
Function II (A, B, C, D, X, S, AC) {
a = Addunsigned (A, Addunsigned (Addunsigned (I (B, C, D), X), AC));
Return Addunsigned (Rotateleft (A, S), B);
};
Function ConvertTowOrdArray (String) {
VAR LWORDCOUNT;
VAR LMESSAGELENGTH = String.Length;
var lnumberofwords_temp1 = LMESSAGELENGTH + 8;
var lnumberofwords_temp2 = (LNumberOfwords_temp1- (LNumberOfwords_temp1% 64)) / 64;
var lnumberofwords = (lnumberofwords_temp2 + 1) * 16;
Var LWORDARRAY = Array (LNumberOfwords-1);
var lbyteposition = 0;
var lbytecount = 0;
While (Lbytecount & lt; lmessagelength) {
LWORDCOUNT = (Lbytecount- (Lbytecount% 4)) / 4;
LBYTEPOSITION = (LBYTECOUNT% 4) * 8;
LWORDARRAY [LWORDCOUNT] = (LWORDARRAY [LWORDCOUNT] | (string.charcodeat (lbytecount) & lt; & lt; lbyteposition));
lbytecount ++;
}
LWORDCOUNT = (Lbytecount- (Lbytecount% 4)) / 4;
LBYTEPOSITION = (LBYTECOUNT% 4) * 8;
LWORDARRAY [LWORDCOUNT] = LWORDARRAY [LWORDCOUNT] | (0x80 & lt; & lt; lbyteposition);
LWORDARRAY [LNUMBEROFWORDS-2] = LMESSAGELGTH & LT; & LT; 3;
LWORDARRAY [LNUMBEROFWORDS-1] = LMESSAGELENGTH & GT; & GT; & GT; 29;
Return LWORDARRAY;
};
FUNCTION WORDTOHEX (LVALUE) {
var wordtohexvalue = "", wordtohexvalue_temp = "", lbyte, lcount;
For (lcount = 0; lcount & lt; = 3; lcount ++) {
lbyte = (LVALUE & GT; & GT; & GT; (LCOUNT * 8)) & amp; 255;
Wordtohexvalue_temp = "0" + lbyte.tostring (16);
Wordtohexvalue = WordtoHexvalue + wordtohexvalue_temp.substr (Wordtohexvalue_Temp.LengTh-2,2);
}
Return Wordtohexvalue;
};
Function UTF8ENCODE (String) {
String = string.replace (/ \ r \ n / g, "\ n");
var utftext = "";
For (var n = 0; N & LT; String.Length; N ++) {
var c = string.charcodeat (N);
IF (C & LT; 128) {
utftext + = string.fromcharcode (C);
}
ELSE if ((C & GT; 127) & amp; & amp; (C & LT; 2048)) {
utftext + = string.fromcharcode ((C & GT; & GT; 6) | 192);
UTFTEXT + = String.Fromcharcode ((C & AMP; 63) | 128);
}
ELSE {
utftext + = string.fromcharcode ((C & GT; & GT; 12) | 224);
utftext + = string.fromcharcode (((C & GT; & GT; 6) & amp; 63) | 128);
UTFTEXT + = String.Fromcharcode ((C & AMP; 63) | 128);
}
}
RETURN UTFTEXT;
};
var x = array ();
VAR K, AA, BB, CC, DD, A, B, C, D;
VAR S11 = 7, S12 = 12, S13 = 17, S14 = 22;
VAR S21 = 5, S22 = 9, S23 = 14, S24 = 20;
VAR S31 = 4, S32 = 11, S33 = 16, S34 = 23;
VAR S41 = 6, S42 = 10, S43 = 15, S44 = 21;
String = UTF8ENCODE (String);
X = ConvertTowOrdArray (String);
a = 0x67452301; b = 0xefcdab89; c = 0x98Badcfe; d = 0x10325476;
For (k = 0; k & lt; x.length; k + = 16) {
Aa = a; Bb = b; CC = C; DD = D;
a = ff (a, b, c, d, x [k + 0], s11,0xd76aa478);
d = ff (d, a, b, c, x [k + 1], s12,0xe8c7b756);
C = FF (C, D, A, B, X [K + 2], S13.0X242070DB);
b = ff (b, c, d, a, x [k + 3], s14,0xc1bdceee);
a = ff (a, b, c, d, x [k + 4], s11,0xf57c0faf);
d = ff (d, a, b, c, x [k + 5], s12,0x4787c62a);
C = FF (C, D, A, B, X [K + 6], S13.0XA8304613);
b = ff (b, c, d, a, x [k + 7], s14,0xfd469501);
a = ff (a, b, c, d, x [k + 8], s11,0x698098d8);
d = ff (d, a, b, c, x [k + 9], s12,0x8b44f7af);
C = FF (C, D, A, B, X [K + 10], S13.0XFFFFF5BB1);
B = FF (B, C, D, A, X [K + 11], S14.0X895CD7BE);
a = ff (a, b, c, d, x [k + 12], s11,0x6b901122);
d = ff (d, a, b, c, x [k + 13], s12,0xfd987193);
c = ff (c, d, a, b, x [k + 14], s13,0xa679438e);
b = ff (b, c, d, a, x [k + 15], s14,0x49b40821);
a = gg (a, b, c, d, x [k + 1], s21,0xf61e2562);
d = gg (d, a, b, c, x [k + 6], s22,0xc040b340);
C = Gg (C, D, A, B, X [K + 11], S23.0X265E5A51);
B = Gg (B, C, D, A, X [K + 0], S24.0XE9B6C7AA);
a = gg (a, b, c, d, x [k + 5], s21,0xd62f105d);
d = gg (d, a, b, c, x [k + 10], S22.0x2441453);
C = Gg (C, D, A, B, X [K + 15], S23.0XD8A1E681);
B = Gg (B, C, D, A, X [K + 4], S24.0XE7D3FBC8);
a = gg (a, b, c, d, x [k + 9], s21.0x21e1cde6);
d = gg (d, a, b, c, x [k + 14], s22,0xc33707d6);
c = gg (C, D, A, B, X [K + 3], S23.0XF4D50D87);
B = Gg (B, C, D, A, X [K + 8], S24.0X455A14ED);
a = gg (a, b, c, d, x [k + 13], s21,0xa9e3e905);
d = gg (d, a, b, c, x [k + 2], s22,0xfcepha3f8);
c = gg (C, D, A, B, X [K + 7], S23.0X676F02D9);
B = Gg (B, C, D, A, X [K + 12], S24.0X8D2A4C8A);
a = hh (a, b, c, d, x [k + 5], S31,0xFFFA3942);
d = hh (d, a, b, c, x [k + 8], s32,0x8771f681);
C = HH (C, D, A, B, X [K + 11], S33.0X6D9D6122);
B = HH (B, C, D, A, X [K + 14], S34.0XFDE5380C);
a = hh (a, b, c, d, x [k + 1], s31,0xa4beea44);
d = hh (d, a, b, c, x [k + 4], s32.0x4bdecfa9);
C = HH (C, D, A, B, X [K + 7], S33.0XF6BB4B60);
B = HH (B, C, D, D, A, X [K + 10], S34.0XBEBFBC70);
a = hh (a, b, c, d, x [k + 13], s31.0x289b7ec6);
d = hh (d, a, b, c, x [k + 0], s32,0xea1127fa);
C = HH (C, D, A, B, X [K + 3], S33.0XD4EF3085);
B = HH (B, C, D, A, X [K + 6], S34.0X4881D05);
a = hh (a, b, c, d, x [k + 9], s31.0xd9d4d039);
d = hh (d, a, b, c, x [k + 12], s32,0xe6db99e5);
C = HH (C, D, A, B, X [K + 15], S33.0X1FA27CF8);
B = HH (B, C, D, A, X [K + 2], S34.0XC4AC5665);
a = ii (a, b, c, d, x [k + 0], s41,0xf4292244);
d = ii (D, A, B, C, X [K + 7], S42.0X432AFF97);
C = II (C, D, A, B, X [K + 14], S43.0XAB9423A7);
B = II (B, C, D, A, X [K + 5], S44.0XFC93A039);
a = ii (a, b, c, d, x [k + 12], s41,0x655b59c3);
d = ii (D, A, B, C, X [K + 3], S42.0X8F0CCC92);
C = II (C, D, A, B, X [K + 10], S43.0XFFEFF47D);
B = II (B, C, D, A, X [K + 1], S44.0X85845DD1);
a = ii (a, b, c, d, x [k + 8], s41,0x6fa87e4f);
d = ii (D, A, B, C, X [K + 15], S42.0XFE2CE6E0);
C = II (C, D, A, B, X [K + 6], S43.0XA3014314);
B = II (B, C, D, A, X [K + 13], S44.0X4E08111A1);
a = ii (a, b, c, d, x [k + 4], s41,0xf7537e82);
d = ii (D, A, B, C, X [K + 11], S42.0XBD3AF235);
C = II (C, D, A, B, X [K + 2], S43.0X2AD7D2BB);
B = II (B, C, D, A, X [K + 9], S44.0XEB86D391);
a = addunsigned (A, AA);
b = addunsigned (b, bb);
c = addunsigned (C, CC);
d = addunsigned (D, DD);
}
var temp = Wordtohex (A) + Wordtohex (B) + Wordtohex (C) + Wordtohex (D);
Return temp.tolowerCase ();
}
Usage:
md5 ("whatever");
You can use Diffe-Helmana Protocol . But here you have to establish a common key between the client and the server. In principle, there is no particularly protected method, except SSH, but it can be faked by an intermediate proxy.