WebApp Sec mailing list archives

Re: At what layer to hash a password

From: Chris Travers <chris () metatrontech com>
Date: Mon, 5 Jul 2010 21:34:07 -0700

On Mon, Jul 5, 2010 at 2:09 AM, arvind doraiswamy
<arvind.doraiswamy () gmail com> wrote:

Apologies for a very delayed reply. Here are my thoughts. The key
point is - Why are you hashing data? To ensure its confidentiality.
Now, data can be in clear text at the client, anywhere in between or
even at the database. So my call is to encrypt it everywhere. Hold on
I'll explain ;)


There are a couple of big assumptions in that statement.  If those
assumptions hold true, your suggestion is a good one.  If not, they
may not be so good.  In general, I'd limit this to a plain, non-ssl
connection across the internet.


a) At the client: Your main threat here is local access. If the app is
public and people might access it from a public computer, there's a
chance they might be able to steal it from the RAM. So some Javascript
with a salted implementation of MD5 should work well here. The salt
should be random though, otherwise you could just replay the MD5
password and gain access..and you're back to square 1.


Of course of someone has access to steal it from RAM, can't they just
watch keystrokes?  Honestly I would be worried less about local access
and more about the whole threat profile.  However, hashing at the
client has some advantages there (and some disadvantages too).


b) The hashing on the client automatically then forces you to have
passwords hashed in your database as well. This is due to the hash
being irreversible. So when the salted hash(with the password) is sent
to the application server, it decrypts it partially and is left only
with the MD5(Insert hashing algorithm here). This MD5 is then compared
against the hashed DB password and access then granted.


Question:  If MD5 is irreversible, how exactly do you think it could
be partially decrypted?  I don't think that's possible.

Best Wishes,
Chris Travers



This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now! 
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

Current thread:

Re: At what layer to hash a password arvind doraiswamy (Jul 05)
- Re: At what layer to hash a password Chris Travers (Jul 05)
- Re: At what layer to hash a password Wil Clouser (Jul 06)
- Message not available
  - Re: At what layer to hash a password arvind doraiswamy (Jul 19)