2

I don't know too much about encryption, but is there any benefit to encrypting the already encrypted, lets say passwords? I am aware of salts, but before this is done, does it matter or not?

Andy
  • 10,553
  • 21
  • 75
  • 125
  • Salts don't usually make a difference in encryption. (Well, they might weaken it a little.) Do you mean hashing? – Ry- Apr 21 '12 at 03:05
  • @minitech Salting is irrelevant in encryption, pretty much completely so. Giving a cipher block a constant value should not weaken it, unless it is vulnerable to a chosen plaintext attack or if the salt is specifically related to the key in a special way. – Michael J. Gray Apr 21 '12 at 03:41
  • @MichaelJ.Gray: Exactly - depends what kind of encryption :) If you salt XOR encryption, it dies instantly. Just covering all the bases. – Ry- Apr 21 '12 at 13:15

5 Answers5

1

Encryption is 2-way thing, when hashing is 1-way. You can decrypt encrypted sting, while you can't revert hash.

One simple, but good example is using md5 hash + salt: MD5('password' + 'random_string') - no matter PHP or MySQL you use - result is the same. So what you have here - is hash of 'passwordrandom_string', which can be unlikely matched using a dictionaries.

So every time you check the password you do:

if (md5($password . 'random_string') == $hash_from_db)

Updated: but if you really concerned about security (this usually needs to be done only if your application works with very sensitive data), and say more - you have crazy paranoia and insanity about it: there are a lot of hashing methods over the Internet. Find something with random salt (so every password can have almost unlimited amount of hashes), make few changes, combine it with other hashing algorithm - problem solved.

One thing you should know - sometimes the slower hashing works - the better. That means if you somehow have a rat-hole in login-attempts counter this will really slow down bruteforce process.

One example you can take a look on - bcrypt (it uses Java for hashing). Not saying you should use it, just an example of what you should look for.

Ruslan Osipov
  • 5,655
  • 4
  • 29
  • 44
  • 2
    I agree that slowing down helps bruteforce attacks. However, the problem with slowing down in the hashing function is that you always want to do less work than the attacker. It's trivial for an attacker to send fake username/logins but takes a lot of cycles for the server to compute the hash. This might open up an app up for DDos attacks. You might want to consider locking an IP or a user after a number of failed login attempts. – David Z. Apr 21 '12 at 03:36
  • Don't invent new hashing schemes, use a standard one. For password hashing, see [What makes a hash function good for password hashing?](http://crypto.stackexchange.com/q/24/58). – Paŭlo Ebermann Apr 21 '12 at 14:13
  • Hmm, very good points. Thank you. With the random string as the salt, where should the random strings used be stored? In a separate table, user table, etc.? Thanks again. – Andy Apr 21 '12 at 17:47
  • @Andy It was just a hard coded example to show you the idea. I recommend using something much more secured. Again, I think you will find bcrypt interesting at that point. – Ruslan Osipov Apr 21 '12 at 19:50
  • I did take a look at bcrypt. Its an appealing way to go about it. Thanks a lot. – Andy Apr 21 '12 at 19:51
0

This question has some relevant discussion on the topic. There are cases in which it would be a bad idea and could potentially weaken the encryption as pointed out in the linked thread, so you wouldn't want to do this unless you're really sure of what you're getting into.

The fundamental basis for encryption is that it's easier to encrypt (polynomial time) than it is to decrypt (non-polynomial time). The only way encryption breaks is if either/both of the following is true:

  1. There's a vulnerability in your encryption scheme which decreases the gap between the polynomial time it take you to encrypt and the non-polynomial time you expect it to take an attacker to decrypt.
  2. Someone has sufficient computational resources to decrypt your data (in non-polynomial time).

It sounds like there are cases where double encryption could actually make issue #1 more probable, so that's dangerous. But issue #2 seems like the bigger one to me. The idea is that an attacker with sufficient computational resources will be able to decrypt my data -- an act which implies that they're willing/able to invest orders of magnitude more computational resources to decrypt my data than I was in encrypting it.

If we accept on fiat that an attacker has the vast computational resources required to decrypt my data, the thought that they could have 2x that many resources doesn't seem unreasonable at all, to me.

And realize also that if you're using the same key, then there's really no added security whatsoever -- once they crack one, they've cracked them both. Potentially there could be value in using two different encryption techniques with two different keys to encrypt something in order to protect against issue #1 popping up for either encryption scheme, but that's surely debatable.

Community
  • 1
  • 1
Jeff Allen
  • 17,277
  • 8
  • 49
  • 70
  • Huh. Time polynomial/non-polynomial in which parameter? Both encrypting and decrypting (knowing the key) should take only linear time in the message size, and normally the same time for both. – Paŭlo Ebermann Apr 21 '12 at 14:15
  • Thank you for the input. Your points make sense. I will look at my encryption options and do the research before implementing it. But I am only storing passwords, no real danger to getting sensitive data. But I figure its a good chance to learn about this as I would like to take it further on other projects I have in mind. Thank you again. – Andy Apr 21 '12 at 17:55
0

You do get some benefits from encrypting twice using different keys. For instance, a file encrypted with weaker ciper and subsequently encrypted again with a stronger cipher and key strength will be harder to break than just having the weak cipher alone. The analogy is putting a flimsy lock box inside of a bank's vault. But, in general, you're better of encrypting with a strong cipher than encrypting twice with a weak cipher.

There are also some instances where it is appropriate for something to be encrypted twice, such as when you cross multiple trust barriers. For instance, you might encrypt your files before sending them to a cloud provider (who you may not trust). If the cloud provider needs to send files to another offsite backup company (who the cloud provide may not trust), they might encrypt it again.

That said, for passwords, you are probably better off with using a strong hash (e.g. sha1) alongside a salt for storing passwords.

David Z.
  • 5,621
  • 2
  • 20
  • 13
  • It's actually unproven if cascading ciphers is a good idea or not. It seems like it would be, but ciphers that are mathematically related once keyed can weaken a your entire scheme. For example, say you have a cipher that once keyed has an encryption function a(x) and then another seemingly unrelated cipher that once keyed has an encryption function b(x). Their respective decryption functions a`(x) and b`(x) could be mathematically related by inverse composition to negate the opposing function. Basically, a(x) = b`(x). When cascading, you could leak round state information or the plaintext. – Michael J. Gray Apr 21 '12 at 03:46
  • Using the same key seems to be a Bad Idea (especially in the case of stream ciphers, from what I hear). – David Z. Apr 21 '12 at 04:10
  • Using two different keys in a cipher just changes the function, but not the relationship. With the same key or a different key, the danger is equal for most ciphers. – Michael J. Gray Apr 21 '12 at 05:37
  • I'm not entirely convinced that is true. Do you have a source? – David Z. Apr 21 '12 at 05:46
  • On which part? Consider a block cipher operating under a specific key is just a function which maps an input to a specific output. Now compute this map multiple times in series on a specific input (compose the function with itself a few times). You still get a pseudo-random map. The vulnerability comes when you derive two encryption functions where one is the functional inverse of the other (encryption with algorithm B is the same as decryption with algorithm A). It's simple algebra but it's theoretical. It would take a lot of analysis and reduction to exploit a real cipher this way. – Michael J. Gray Apr 21 '12 at 05:53
  • Please note that I am talking about block ciphers with *different* keys. Are you implying that if I take a ciphertext (with a key that I do not know) and encrypt it again (with an arbitrary key that I generate) that we'll leak information? – David Z. Apr 21 '12 at 06:00
  • let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/10342/discussion-between-michael-j-gray-and-david-z) – Michael J. Gray Apr 21 '12 at 07:23
0

It depends on what you mean by encryption. If you're actually encrypting information on the database using for example Microsoft's SQL Server encryption engine, then yes it does matter. You should not rely on database level encryption as it's not really secure. The key is still stored on the machine and only prevents naive attackers who do not seek out that key along with the database.

Generally, databases also support exporting data in plaintext when the database is encrypted. This means that if an attacker gets into the system, they can just do that. If they only have the hard drives (external drive is stolen), then it saves you.

Passwords should be hashed in your application and then sent to a database, generally. It's considered secure to generate a 64 byte salt and then use SHA-512(salt || password) where || denotes binary concatenation. Don't use randomized ASCII text for salts and stick with secure random number generators such as /dev/urandom or Microsoft's CryptGenRandom. This makes it so attackers cannot store pre-computed lists of hashes for reverse lookups of common passwords.

If you want to prevent the stolen backup drive scenario you need to also make sure you are backing up your database, keeping encryption on, and storing the keys in a secure environment away from the encrypted database. We call this "separating the lock from the key". Since this doesn't help you in the situation where your database is exported, you also want to do hashing as I mentioned earlier. Hashing in addition to encryption will make it so that 1.) Attackers can't get at other less sensitive information such as names and addresses and 2.) Attackers can't even begin to attempt recovery of passwords or other credentials.

The bottom line is that it depends on your threat model.

Michael J. Gray
  • 9,784
  • 6
  • 38
  • 67
  • For salts, it is not really relevant if they are binary or ASCII ... the hash function accepts all. You would just need some more ASCII bytes than binary bytes to have the same entropy. What is more important is to [use a *slow* hash function for password hashing](http://crypto.stackexchange.com/q/24/58). – Paŭlo Ebermann Apr 21 '12 at 14:11
-1

Yes. It does matter. Storing sensitive data anywhere in plaintext goes beyond bad practice. It's dangerous. Even the standard md5 hash is considered "broken" now, and shouldn't be used on its own without salting it, and perhaps using other hashing combinations in tandem with it. Just to shake things up.

$salt = 'Yh%Gg^!&ud$*';
$encryption = md5(sha1($salt.md5(md5($salt.$_POST['pwd']))));
$query = mysql_query("SELECT * FROM users WHERE name=$uname AND pass=$encryption");

Not exactly the most secure, but if anybody gets their hands on the table information, they won't be able to crack it without knowing the salt and hashing combination.

Ultimately, you need to make an educated decision based on the sensitivity of the data. If you're storing user passwords of any kind, even YOU shouldn't know what they are.

maiorano84
  • 11,574
  • 3
  • 35
  • 48
  • I should notice that cracking password hashes is pretty hard thing by itself: again, there is **no way to revert hash**, so all you can do - is try different strings and see if they match. One of the common methods - using huge dictionaries, trying out every word and checking if it matches hash. – Ruslan Osipov Apr 21 '12 at 03:23
  • You can find collisions on MD5 pretty easily. As in, given `h(m) = z` you can find `h(m') = z`. http://www.rtfm.com/movabletype/archives/2004_08.html#001055 has information about it. That means that given your scheme, an attacker can find an equally valid password for the given hash your cascading produces. MD5 is completely broken and should **never** be used in any system. – Michael J. Gray Apr 21 '12 at 03:50
  • @MichaelJ.Gray: collision attacks are not really what is relevant for a password hashing scheme ... there is no point in trying to find two passwords which hash to the same value, you want to find a password hashing to an existing value (which is a preimage attack). Though you are right, don't use MD5 for anything. – Paŭlo Ebermann Apr 21 '12 at 14:18
  • @pyrate: With a fast hash function and typical password strengths (and parallel computing using GPUs etc.), brute-forcing a password is surprisingly fast. This is why we [use *slow* hash functions for password hashing](http://crypto.stackexchange.com/q/24/58). – Paŭlo Ebermann Apr 21 '12 at 14:21
  • @PaŭloEbermann Both attacks are scary, even if one isn't exceptionally useful for passwords. But yes, good point. Also, brute forcing MD5 hashes is indeed lightning fast; my GTX 460 can pull off several billion trials per second. – Michael J. Gray Apr 22 '12 at 02:10