Login Encryption; Login Lookup

Discussion in 'ASP .Net Security' started by Phil C., Aug 18, 2005.

  1. Phil C.

    Phil C. Guest

    Hi. I'm working on an ecommerce application. There is a conventional
    registration page
    where the person is identified by his entering an email address and
    password.
    I was planning to have all customer information encrypted, and the password
    salted and hashed with SH-1. However, when a registered person attempts to
    login, I would have to decrypt each email address in the stored table and
    compare it with the person logging in to see if there is a match, before
    checking the passwords. Is this the conventional way to do things, or is
    there a speedier way?
    Phil C., Aug 18, 2005
    #1
    1. Advertising

  2. Hello Phil C.,

    why do you want to encrypt the email address?? is this a secret? do you want
    to secure it from tampering?

    well - you could encrypt the email address and do a query in sql on the encrypted
    value, but this would mean you use the same key for every record?? you shouldn't
    do that - every record should have a session key used for encryption (which
    is encrypted using the master key).

    maybe you should consider leaving the primary key (=email) in clear text.

    Use PasswordDeriveBytes (or Rfc2889DeriveBytes in .NET 2.0) to store the
    hashed passwords.

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Hi. I'm working on an ecommerce application. There is a conventional
    > registration page
    > where the person is identified by his entering an email address and
    > password.
    > I was planning to have all customer information encrypted, and the
    > password
    > salted and hashed with SH-1. However, when a registered person
    > attempts to
    > login, I would have to decrypt each email address in the stored table
    > and
    > compare it with the person logging in to see if there is a match,
    > before
    > checking the passwords. Is this the conventional way to do things,
    > or is
    > there a speedier way?
    Dominick Baier [DevelopMentor], Aug 18, 2005
    #2
    1. Advertising

  3. Phil C.

    Phil C. Guest

    Dominick,

    Thanks for the reply. I was soliciting opinions on what people out in
    industry actually do. I have an IV for each record (row) and the other
    columns in a particular row are encrypted with aes using one key that I
    keep. I was supposing that if you are going to protect customer information,
    you might as well be encrypting all their information that could uniquely
    identify them, and the email address is certainly a unique identifier.
    Could you explain what you mean by "session key"????

    "Dominick Baier [DevelopMentor]" <>
    wrote in message news:...
    > Hello Phil C.,
    >
    > why do you want to encrypt the email address?? is this a secret? do you
    > want to secure it from tampering?
    >
    > well - you could encrypt the email address and do a query in sql on the
    > encrypted value, but this would mean you use the same key for every
    > record?? you shouldn't do that - every record should have a session key
    > used for encryption (which is encrypted using the master key).
    >
    > maybe you should consider leaving the primary key (=email) in clear text.
    >
    > Use PasswordDeriveBytes (or Rfc2889DeriveBytes in .NET 2.0) to store the
    > hashed passwords.
    >
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    >> Hi. I'm working on an ecommerce application. There is a conventional
    >> registration page
    >> where the person is identified by his entering an email address and
    >> password.
    >> I was planning to have all customer information encrypted, and the
    >> password
    >> salted and hashed with SH-1. However, when a registered person
    >> attempts to
    >> login, I would have to decrypt each email address in the stored table
    >> and
    >> compare it with the person logging in to see if there is a match,
    >> before
    >> checking the passwords. Is this the conventional way to do things,
    >> or is
    >> there a speedier way?

    >
    >
    >
    Phil C., Aug 18, 2005
    #3
  4. Phil C.

    WJ Guest

    "Phil C." <> wrote in message
    news:...
    > Dominick,
    >
    > .... I was supposing that if you are going to protect customer
    > information, you might as well be encrypting all their information that
    > could uniquely identify them, and the email address is certainly a unique
    > identifier.


    Generally, when you do e-Comerce website to accept user's sensitive data,
    the appropriate way is to enable SSL on the site (so called Port 443). SSL
    will encrypt the entire site (every page) over the internet to prevent data
    snatch/theft. Without SSL, you may lose many customers, no matter how good
    your encryption method is. Now, for form authentication, all you need is to
    provide a 1-way hash for the user password. I use MS/DPAPI for this method.
    Yes, hashed-password is also protected by SSL server certificate. So, you
    double-secure your user's data.

    Beaware that a well known SSL Cert such as VeriSign will cost you some $$$
    but it is worth it, your customers pay for it anyhow.

    John
    WJ, Aug 27, 2005
    #4
  5. Hello WJ,

    of course - SSL is a prereq. But we are talking about how to protect the
    data that gets persisted in their back end

    SSL only protects the data while in transit....

    DPAPI does no hashing...it only does encryption...be careful when storing
    DPAPI encrypted data in a database - as the key is scoped to the machine
    which did the encryption..if you loose that key you are in trouble.

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > "Phil C." <> wrote in message
    > news:...
    >
    >> Dominick,
    >>
    >> .... I was supposing that if you are going to protect customer
    >> information, you might as well be encrypting all their information
    >> that could uniquely identify them, and the email address is certainly
    >> a unique identifier.
    >>

    > Generally, when you do e-Comerce website to accept user's sensitive
    > data, the appropriate way is to enable SSL on the site (so called Port
    > 443). SSL will encrypt the entire site (every page) over the internet
    > to prevent data snatch/theft. Without SSL, you may lose many
    > customers, no matter how good your encryption method is. Now, for form
    > authentication, all you need is to provide a 1-way hash for the user
    > password. I use MS/DPAPI for this method. Yes, hashed-password is also
    > protected by SSL server certificate. So, you double-secure your user's
    > data.
    >
    > Beaware that a well known SSL Cert such as VeriSign will cost you some
    > $$$ but it is worth it, your customers pay for it anyhow.
    >
    > John
    >
    Dominick Baier [DevelopMentor], Aug 30, 2005
    #5
  6. Phil C.

    WJ Guest

    "Dominick Baier [DevelopMentor]" <>
    wrote in message news:...
    > Hello WJ,
    >
    > of course - SSL is a prereq. But we are talking about how to protect the
    > data that gets persisted in their back end
    >


    Wouldn't RDBMS do this task for you already ? Once data is in your RDBMS
    backend, how do I hack into it without a secret key ?

    > SSL only protects the data while in transit....
    >
    > DPAPI does no hashing...


    that was my own hash that I just added to it.

    > it only does encryption...be careful when storing DPAPI encrypted data in
    > a database - as the key is scoped to the machine which did the
    > encryption..if you loose that key you are in trouble.
    >


    Well, no solution is perfect! Would you rather implement machine store than
    user store ? I prefer machine store because it is easier to maintain and
    secure one machine (server) than multiple machines (clients). Would you ever
    lose you home key ?

    Well, to get to my machine, it will take great effort from an ace hacker !

    John
    WJ, Aug 30, 2005
    #6
  7. Hello WJ,

    inline

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > "Dominick Baier [DevelopMentor]"
    > <> wrote in message
    > news:...
    >
    >> Hello WJ,
    >>
    >> of course - SSL is a prereq. But we are talking about how to protect
    >> the data that gets persisted in their back end
    >>

    > Wouldn't RDBMS do this task for you already ? Once data is in your
    > RDBMS backend, how do I hack into it without a secret key ?
    >


    which secret key are you talking about?? are you only thinking of outside
    hackers or also insiders?

    >> SSL only protects the data while in transit....
    >>
    >> DPAPI does no hashing...
    >>

    > that was my own hash that I just added to it.
    >
    >> it only does encryption...be careful when storing DPAPI encrypted
    >> data in a database - as the key is scoped to the machine which did
    >> the encryption..if you loose that key you are in trouble.
    >>

    > Well, no solution is perfect! Would you rather implement machine store
    > than user store ? I prefer machine store because it is easier to
    > maintain and secure one machine (server) than multiple machines
    > (clients). Would you ever lose you home key ?


    well - what will you do if the machine crashes??? do you have a backup of
    that key??

    >
    > Well, to get to my machine, it will take great effort from an ace
    > hacker !
    >
    > John
    >
    Dominick Baier [DevelopMentor], Aug 31, 2005
    #7
  8. Phil C.

    WJ Guest

    "Dominick Baier [DevelopMentor]" <>
    wrote in message news:...
    > Hello Dominick Baier,
    >
    > which secret key are you talking about??

    My system password. The admin. password.

    > are you only thinking of outside hackers or also insiders?
    >

    All Dominick. In my shop, I am the only

    > well - what will you do if the machine crashes??? do you have a backup of
    > that key??
    >


    Backup them up!!! its is your life. I do nighyly backup. I do full system
    backup once 1 week. I burned all secret/system stuffs to my CD.

    Now back to user store method. How do you secure them ? How can you tell if
    a client lost his PC/Key together ?

    John
    WJ, Aug 31, 2005
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    0
    Views:
    421
  2. Demetri
    Replies:
    0
    Views:
    330
    Demetri
    Oct 15, 2003
  3. Cleilton
    Replies:
    3
    Views:
    4,150
    ccsalway
    Sep 25, 2011
  4. Alvin Bruney [MVP]

    Re: emulate Win. app lookup in ASP.NET

    Alvin Bruney [MVP], Feb 14, 2004, in forum: ASP .Net
    Replies:
    5
    Views:
    381
    Steve Bywaters
    Feb 16, 2004
  5. Vik
    Replies:
    4
    Views:
    1,924
Loading...

Share This Page