Reputation: 582
How and where encryption happens in a web application?
In a web application, how and where password encryption happens? For example, when a user register onto a web site, whether password set by the user is transmitted as the plain text and encryption is applied on server side and persisted in the database?
On the other hand, when HTTPS is used, data will be encrypted and sent across the wire. In this scenario, do we again apply any encryption algorithms upon incoming data and then persist in the database? I am also keen to learn which encryption algorithms will be used when data is transmitted over HTTPS.
Upvotes: 0
Views: 170
Answers (2)
Reputation: 24151
HTTPS encrypts the traffic between client and server, this prevents ManInTheMiddle attacks. With HTTPS you can transport the password safely to the server, for you as a developer there is no work involved.
The server will automatically decrypt the password, your application will get the plain text password. It is your job to use a password-hash before storing it to the database. Recommended password-hashes are BCrypt, SCrypt, Argon2 and PBKDF2.
Upvotes: 1
Reputation: 161
In addition of martinstoeckli answer :
Rule n°2 : Encryption will always be the second choice. If you can use hashing, please do.
HTTPS is asynchronous cryptography (private + public keys). The principle is everything encrypted using public key can only be decrypted using THE private key associated.
In our case, the client will use the public key to encrypt data. And the server will be the only one able to decrypt the data using the private key.
So you will get the plaintext of the data after the private key did its job.
At this point, the best thing to do (to my opinion) is hashing (+ salt + eventually pepper) data and store the hash in database.
When the user will, for example, try to login using his password, the server will once again hash the plaintext password received (using the same salt / pepper obviously) and compare with the one in database.
if the hash is the exact same that the one in database, it means that the password entered by the user is correct.
Upvotes: 1
Related Questions
- When does SSL encrypt data from browser to server?
- Encrypt passwords in a WebApp
- Encryption of a Password send over HTTPS
- How Is My Password Transferred from My Browser to the Web Server Securely?
- Encrypt data from users in web applications
- How does secure authentication work in a web application
- https and encryption
- https security features
- What does SSL do for web applications
- How are web site passwords encrypted by browsers?