Re: encryption question

From: Henrick Hellström <henrick@xxxxxxxxxxxx>
Date: Tue, 29 Jan 2008 17:17:27 +0100

SiegfriedN wrote:

Create a hash value of the password. (encrypted text value of the password)

When the user provides the password the password is encrypted and compared to the hash value you created for the password via the encryption algorithm.

That might be an extremely bad idea if not done correctly:

Setup:
1. Select password P
2. Store H = Hash(P)
3. Store C = E(Hash(P),T)

Decryption
1. User inputs P'
2. If H <> Hash(P') return Error
3. Return T = E(Hash(P),C)

The flaw in this scheme ought to be fairly obvious. An attacker who finds a H,C pair might simply calculate T = E(H,C) and be done with it, without any information whatsoever about P.
.

Follow-Ups:
- Re: encryption question
  - From: SiegfriedN
- Re: encryption question
  - From: Rael

References:
- encryption question
  - From: Rael
- Re: encryption question
  - From: SiegfriedN

Prev by Date: Re: encryption question
Next by Date: [ANN] DDObjects Remoting Framework 1.1 with SSL available
Previous by thread: Re: encryption question
Next by thread: Re: encryption question
Index(es):
- Date
- Thread

Relevant Pages

Re: Encryption algorithm
... > I am looking for a simple encryption algorithm to encrypt a 13 ... Passwords, for example, may never need de-crypting - just one-time hashing ... and you store the hash. ...
(comp.lang.cobol)
encrypt password
... I am writing a VB application with MS SQL server. ... the password and store in a character field. ... What encryption algorithm is good for password field? ...
(microsoft.public.vb.general.discussion)
Re: Avalanche and Strict Avalanche Affect
... signature or encryption algorithm actually posses an ... > quality. ... > hash functions, for example, and see if it holds)? ...
(sci.crypt)