Re: Decrypt fails

From: jreddy (jreddy_at_discussions.microsoft.com)
Date: 09/07/05

  • Next message: lelteto: "Re: Decrypt fails" 
    Date: Wed, 7 Sep 2005 09:16:11 -0700

    Hi,
    Thanks for the response.
    First, I am creating a MD5 hash data and then using it to derive a key
    (CALG_RC2 encryption algorithm). Then I use this key to encrypt/decrypt user
    passwords. My requirement concerns more with not storing passwords in plain
    text in DB and not necessarily for authentication purposes.So, my goal is to
    not store user passwords in plain text but in some encrypted form in DB.

    "Jan Spooren" wrote:

    > Hi,
    >
    > Which encryption algorithms are you using?
    > MD5 and MD2 are hashing algorithms and cannot be used to encrypt/decrypt.
    > Actually, since hashing algorithms can be regarded as 'one-way' encryption,
    > they are especially suited for what you want to achieve.
    > Create an MD5-hash (or better yet, a SHA-1 hash) of the password and store
    > that in the database. When a user must be authenticated, hash the password
    > that (s)he provided and compare it to the hash in the database. If they
    > mach, then the user provided the right password.
    >
    > With this approach, nor system administrators, nor an adversary who obtained
    > the encryption password (which you will have to store _somewhere_), can
    > decrypt the user's passwords.
    >
    > The approach as described above is still vulnerable to dictionary attacks
    > and therefore stil not very secure. (An adversary could use a dictionary of
    > typical passwords, hash those, and compare them to the hashed passwords in
    > the database in order to find your user's passwords). To avoid this,
    > generate a random string of characters when creating the user record and
    > store that (in clear text) in the database with the password hash. Now
    > append the random data (which is typically called 'salt') to the password
    > and hash that. If a user needs to be authenticated, get the salt from the
    > user's database record, append it to the password (s)he provided, hash that
    > string and compare it to the hash stored in the database.
    >
    > Storing passwords with reversible encryption in a database is usually a bad
    > thing to do. About a year ago, I performed an ICT audit on a content
    > management system that worked this way. With the permissions set of a
    > regular user, it took me less than 25 minutes to obtain a full list of user
    > accounts and passwords. The 'content management system' had been installed
    > because management deemed NTFS permissions 'too weak' to trust, because it
    > would still allow system administrators to view the files. :-)
    >
    > Take care,
    > Jan Spooren, CISSP, CISA, MCP
    >
    > "jreddy" <jreddy@discussions.microsoft.com> wrote in message
    > news:45E17D25-DBDF-463A-B473-D6871F07CF52@microsoft.com...
    > > My Vc++ 6.0 application on XP encrypts/decrypts passwords before it
    > > stores/reads them in/from DB. I am using the default MS Cryptography
    > > Provider
    > > (I think it is MS Strong Crytography Provider) with MD5 hashing algorithm.
    > > While it is working fine so far, I ran into a strange situation where I
    > > found
    > > a combination of 8 characters that encrypts fine but fails to decrypt
    > > (after
    > > decryption, I can see the plain text OK in debugger but I also see some
    > > garbage appended to it. CryptDecrypt returns a NTE_BAD_DATA). I have not
    > > see
    > > any other password encryption/decryption fail in such a manner. Also, when
    > > I
    > > use MD2 hashing algorithm with the same provider, I have not seen any
    > > problem
    > > either (including for the same password that has problems decrypting as
    > > mentioned above).
    > >
    > > Is it possible that there exist a problem with the Cryptography provider,
    > > or
    > > hashing alogrithm, or combination of the those two I am using? Thanks for
    > > any
    > > help.
    >
    >
    >

  • Next message: lelteto: "Re: Decrypt fails"

    Relevant Pages

    • Re: Newbie - Is this Reasonable?
      ... because this hash is stored in the database. ... So you use PKCS5v2 to generate a key hash from a salt and the user's passphrase, then store the salt and the hash in a database. ... are even more critical in database applications because the payoff from tampering with selected fields may be much higher, fields tend to be fixed-length so it's easier to tamper with them in a meaningful way, and databases lend themselves to off-line analysis, so the attacker can marshall more resources and take more time to attack your system. ... You're using a stream cipher for encryption. ...
      (sci.crypt)
    • Re: Perl Script
      ... It uses a one way hash. ... AD> just store the encrypted result in the database. ... AD> extract it and reverse the encryption. ... Hashing passwords is much safer than reversible encryption (regardless ...
      (comp.lang.perl.misc)
    • Re: Decrypt fails
      ... MD5 and MD2 are hashing algorithms and cannot be used to encrypt/decrypt. ... Actually, since hashing algorithms can be regarded as 'one-way' encryption, ... Create an MD5-hash of the password and store ... that he provided and compare it to the hash in the database. ...
      (microsoft.public.platformsdk.security)
    • Re: criticism of web based password manager requested
      ... encryption and decryption and viewing or using your protected passwords ... on a client machine that you don't trust is not secure. ... your encrypted passwords on it. ... read/write access to the database. ...
      (sci.crypt)
    • Re: How good an encryption algorithm is this?
      ... mapping encryption, but a one-way hash of the password). ... my spare time, i hash 5 million or so common passwords (in prior spare time, ... but the dictionary attack just got a lot harder - now i have to ...
      (microsoft.public.dotnet.languages.csharp)
    • Quantcast