L30 - Security 2
L30 - Security 2
L30 - Security 2
COS216
AVINASH SINGH
DEPARTMENT OF COMPUTER SCIENCE
UNIVERSITY OF PRETORIA
Website Hacks
https://haveibeenpwned.com
Choosing Passwords
Even if your website gets hacked, restrict the sensitive info that gets leaked
Cannot really encrypt the database
Key has to be stored on the server for encryption and will also be leaked during a hack
Decreases the performance of the database, especially very large databases
Many SQL lookups won’t work with encrypted values
Try to obfuscate sensitive information
Certain fields cannot be obfuscated because they are being used (eg: email address to
send emails to users)
However, passwords can and should be obfuscated
Storing Sensitive Information
912ec803b2ce49e4a541068d495ab570
Since hashes are calculated by a mathematical function, they are not really random,
although they might seem that way
Hashes have various uses, such as file integrity verification, ID generation, API keys,
passwords, blockchains, and various other cryptographic applications
Hashing
Hashing
Any text or file is send through a hashing function to generate the hash
The function is one-way, hence you cannot use a hash to get back to the original text
Unlike encryption, where you can encrypt and then decrypt to get the original text
If a single character/byte is changed in the original text, the new generated hash will
be completely different
Hashing
Many different hashing functions exist, each with a different algorithm and hash
length
MD5 (128 bits): Most widely known, has been shown to be unsafe, try to avoid
CRC (16 – 64 bits): Typically used to detect errors in files (eg: archives or downloads)
SHA (160 – 512 bits): Family of different functions (SHA-0, SHA-1, SHA-2, SHA-3) with various
hash lengths and complexity. Most widely used hashing function at the moment. Created
by the NSA. Hash collisions demonstrated in 2017
BLAKE (256 – 512 bits): Uses HAIFA structure
RIPEMD (128 – 320 bits)
Blowfish (32 - 448 bits): Recommended by PHP for password hashing
Many more …
Hashing
<?php
// Use the hash function with the algorithm as first parameter
echo hash('sha256', 'Just some raw text to be hashed');
echo hash('ripemd160', 'Just some raw text to be hashed');
username password
grandma91 icantremember
dummy_the_dummy password123
Plain Text - Registration
Example of a rainbow table (note these or not real hashes, they were truncated to fit
them into the table)
If the user registers with the plain text password, calculate the hash of the password
and save only the hash in the database
If user logs in, the password is send in plain text via POST/GET.
On the server, calculate the hash of the login password and compare it to the hash
in the database
username password
grandma91 4a4d993ed7bd7d46
dummy_the_dummy 7b27af52d2aaa800
Passwords – Hashing & Salting
If order to avoid the rainbow hash table problems, salt your hashes
Salting means you add some random string to the password before hashing it
This makes every hash different and very unlikely to appear in any rainbow table
1. If the user registers with the plain text password, generate a random string (salt)
2. Concatenate the plain text password and the random string into one long string
3. Calculate the hash of the long string
4. Store the hash and the random string in the database
5. Each time the user logs in with the plain text password, retrieve the salt from the
database, append it to the password, and calculate the hash
6. Now compare the login hash with the hash in the database
Passwords
Approach Security
Plain Text None
Hashing Medium
Hashing & Salting High
Man In The Middle Attack
Although the key should be send via POST, if you really have to use GET, sending the
API key in the URL is a lot safer than sending the user/pass
Registration Verification
If you register on a website, you often get a verification email to verify your account:
1. If the user registers, generate a random string (similar to API key), add the account details
together with the random string to the database
2. Also add a state to the database, saying the user is awaiting verification
3. Also add a maximum time (eg: 1 hour) after which the random string should become
unusable
4. Send a GET URL with the random string via email to the user, eg:
https://mywebsite.com/verify/DFvgt45GF3s30Df5
5. If this URL is visited within the given time limit, change the user’s status to active. If the time
limit expired, email a new random string to the user, and redo step 3 and 4
Some Videos