Hashing Salting

Question

Hello sorry if this may be a stupid question, I am gonna try a sha+salt for my site. wondering how to randomize my salt. Upon registering so both of them will be hashed into the database. Also is there a need for me to decrpyt both sha and salt for user validation. Would be nice if someone pointed me in the right detection or a good article. Thanks Also I'm new to security stuff on websites I'm still researching what security implementations i would use for my site currently these are what i will be doing.

1. password hashing
2. Anti-SQL injections
3. Hiding Values in URL

Would like to know more what should i add to my security. I am making a school management system as a Project.

So far i am looking Into. Anti-bruteforce and my professor gave me a hint about HTTPS.

Also how would i validate a log in if the password is sha+salt encrypted.

Answer 1

Not really a direct answer to your question, but look into phpass http://www.openwall.com/phpass/

It will handle the salting for you, and has been reviewed by many security experts and been deemed and extremely good password hashing tool

Answer 2

Being the salt just a random string added to the hash of the string you want to encode, there are enough ways to generate it [e.g. this on SO].

You don't need and you can't decrypt any sha result because sha [like md5] is an hashing algorithm, not a crypt function, i.e. it's not meant to hide anything for later retrieval: this is important because I don't want the admin of a site I am registered to to read my password from database.

To hash is to map elements from a data set to shorter elements from another one, in an [almost total] injective way - you map arbitrary long strings to fixed-length keys: this lets you make comparison in the hashed domain without actually knowing the original value.

hash( value1 ) = hash ( value2 ) => value1 = value2

I said almost because hashing algorithms have some collisions [e.g. exceptions to previous statement such as hash(value1) = hash(value2) does not imply the 2 values being the same] - salts help in this regard too.

This said, this is how you save the password to db:

• generate the salt;
• prepend the salt to the actual password: it's important to put it before the pwd to prevent dictionary attacks;
• hash the concatenated string with a proper algorithm [I chose sha1 just for example's sake];
• save both the string and the salt to db.

In code:

$user -> salt = your_salt_generator();
$user -> hashedPwd = hash('sha1', $salt . $userChosenPwd);

Pwd checking against $username / $password is just:

• get user with given $username from db;
• if it exists, use process above with saved salt and given password and check if it equals stored hash.

In code:

hash('sha1', $user -> salt . $sentPassword) == $user -> hashedPwd;

---

About hiding values in URLs, it's more a SEO / readability topic than a security one: URLs should be made upon routing [e.g. http://somesite.com/products/:id to access the id-th product], and your server logic should not be vulnerable to stuff put into requests that are made to your site [regardless to totally crap cases I can't come with right now].

---

Regarding MySQL injections, we got rid of them since prepared statements from PDO extension.

There are millions of answers about this around SO, just have a look around.

Keep it up with your work!

Answer 3

Since this is quite a large question its probably easier for me to direct you to some useful resources rather than try to explain it all myself.

For an introduction to web cryptography A List Apart wrote a nice article. It doesn't discuss implementation very much, but provides a nice overview.

For a list of security flaws and how to combat them see the OWASP Top Ten Project.

Here's a guide to PHP Security that is pretty comprehensive.

Finally, see this question for more on creating a login system.

I'd recommend searching around Stack Overflow as there're probably some good answers to questions you may have.