Let me explain with some of the common ways of storing passwords in database with its demerits. By reading this full article you will understand the best way to secure your password using Cryptographic algorithms in C# .NET.
1. Plain text
Storing password in plain text is the worst way of password management. If the database is compromised by the hacker, with no effort he can reveal all the passwords.
2. Symmetric Key Encryption
One usual way to storing password is using encryption. it's a two way process. That means the password is encrypted using secret key when storing and decrypt using the same key for the password authentication.
It's better then storing password as plain text. But key management is the challenge. Where do you save that key? If it is database, It won't be difficult for the hacker who got the encrypted password by hacking the database and decrypt it using the same key.
Storing password in plain text is the worst way of password management. If the database is compromised by the hacker, with no effort he can reveal all the passwords.
2. Symmetric Key Encryption
One usual way to storing password is using encryption. it's a two way process. That means the password is encrypted using secret key when storing and decrypt using the same key for the password authentication.
It's better then storing password as plain text. But key management is the challenge. Where do you save that key? If it is database, It won't be difficult for the hacker who got the encrypted password by hacking the database and decrypt it using the same key.
3. Asymmetric Key Encryption
So instead of using symmetric key encryption algorithm. we can use asymmetric key encryption algorithm like RSA where client uses public key to encrypt the password and sends it to the server for storage. When authenticate a private key is used to decrypt the password. That private key should be kept secret. This is also not a great solution as the key management is difficult like the previous way.
4. Hashing
If we use Hashing there won't be any over head of key management. Also no need to decrypt the password back to plain text. As we discussed in my previous article Cryptographic Hashing Algorithm in .NET C#, Hashing is one way operation. Once a data is hashed we cannot reverse and get the original message, It has four important properties,
Two types of attack is possible on the hashed password. They are,
The attacker would try the different combination of passwords hash that is equivalent to the password hash you have stored. Using the latest high performance graphic processor system it is possible to generate billions of random password hash. It only the matter of time to generate the correct password.
Rainbow table attack
A rainbow table is a listing of all possible plain text permutations of hashed passwords specific to a given hash algorithm. Which is often used for crack the password from the hashed values that we stored in the application database. It can be Giga bytes of size. Once an attacker gains access to a system’s password database, the password cracker compares the rainbow table’s precompiled list of hashes to hashed passwords in the database. The rainbow table relate plaintext possibilities with each of those hashes. Thus attacker could crack the password.
5. Salted Hash
It is common for a web application to store in a database the hash value of a user's password. Without a salt, a successful SQL injection attack may yield easily crackable passwords. Because many users re-use passwords for multiple sites, the use of a salt is an important component of overall web application security
If we append a random value with a hashed password, Which is difficult for the attacker to hack using brute force or rainbow table attack. The random value is called Salt. The Salted hash and the Salt will be stored in the database as the Salt is required when the password authentication
So instead of using symmetric key encryption algorithm. we can use asymmetric key encryption algorithm like RSA where client uses public key to encrypt the password and sends it to the server for storage. When authenticate a private key is used to decrypt the password. That private key should be kept secret. This is also not a great solution as the key management is difficult like the previous way.
4. Hashing
If we use Hashing there won't be any over head of key management. Also no need to decrypt the password back to plain text. As we discussed in my previous article Cryptographic Hashing Algorithm in .NET C#, Hashing is one way operation. Once a data is hashed we cannot reverse and get the original message, It has four important properties,
- Easy to compute the hash value for any given message
- Not possible to generate a message from the given hash
- Not possible to modify a message without changing the hash
- Not possible to find two different messages with the same hash
Two types of attack is possible on the hashed password. They are,
- Brute force attack
- Rainbow table attack
The attacker would try the different combination of passwords hash that is equivalent to the password hash you have stored. Using the latest high performance graphic processor system it is possible to generate billions of random password hash. It only the matter of time to generate the correct password.
Rainbow table attack
A rainbow table is a listing of all possible plain text permutations of hashed passwords specific to a given hash algorithm. Which is often used for crack the password from the hashed values that we stored in the application database. It can be Giga bytes of size. Once an attacker gains access to a system’s password database, the password cracker compares the rainbow table’s precompiled list of hashes to hashed passwords in the database. The rainbow table relate plaintext possibilities with each of those hashes. Thus attacker could crack the password.
5. Salted Hash
It is common for a web application to store in a database the hash value of a user's password. Without a salt, a successful SQL injection attack may yield easily crackable passwords. Because many users re-use passwords for multiple sites, the use of a salt is an important component of overall web application security
If we append a random value with a hashed password, Which is difficult for the attacker to hack using brute force or rainbow table attack. The random value is called Salt. The Salted hash and the Salt will be stored in the database as the Salt is required when the password authentication
No comments:
Post a Comment