Login Encryption; Login Lookup

[Phil C.]

Hi. I'm working on an ecommerce application. There is a conventional
registration page
where the person is identified by his entering an email address and
password.
I was planning to have all customer information encrypted, and the password
salted and hashed with SH-1. However, when a registered person attempts to
login, I would have to decrypt each email address in the stored table and
compare it with the person logging in to see if there is a match, before
checking the passwords. Is this the conventional way to do things, or is
there a speedier way?

 

[Dominick Baier [DevelopMentor]]

Hello Phil C.,

why do you want to encrypt the email address?? is this a secret? do you want
to secure it from tampering?

well - you could encrypt the email address and do a query in sql on the encrypted
value, but this would mean you use the same key for every record?? you shouldn't
do that - every record should have a session key used for encryption (which
is encrypted using the master key).

maybe you should consider leaving the primary key (=email) in clear text.

Use PasswordDeriveBytes (or Rfc2889DeriveBytes in .NET 2.0) to store the
hashed passwords.

 

[Phil C.]

Dominick,

Thanks for the reply. I was soliciting opinions on what people out in
industry actually do. I have an IV for each record (row) and the other
columns in a particular row are encrypted with aes using one key that I
keep. I was supposing that if you are going to protect customer information,
you might as well be encrypting all their information that could uniquely
identify them, and the email address is certainly a unique identifier.
Could you explain what you mean by "session key"????

 

[WJ]

Dominick,

.... I was supposing that if you are going to protect customer
information, you might as well be encrypting all their information that
could uniquely identify them, and the email address is certainly a unique
identifier.

Generally, when you do e-Comerce website to accept user's sensitive data,
the appropriate way is to enable SSL on the site (so called Port 443). SSL
will encrypt the entire site (every page) over the internet to prevent data
snatch/theft. Without SSL, you may lose many customers, no matter how good
your encryption method is. Now, for form authentication, all you need is to
provide a 1-way hash for the user password. I use MS/DPAPI for this method.
Yes, hashed-password is also protected by SSL server certificate. So, you
double-secure your user's data.

Beaware that a well known SSL Cert such as VeriSign will cost you some $$$
but it is worth it, your customers pay for it anyhow.

John

 

[Dominick Baier [DevelopMentor]]

Hello WJ,

of course - SSL is a prereq. But we are talking about how to protect the
data that gets persisted in their back end

SSL only protects the data while in transit....

DPAPI does no hashing...it only does encryption...be careful when storing
DPAPI encrypted data in a database - as the key is scoped to the machine
which did the encryption..if you loose that key you are in trouble.

 

[WJ]

Hello WJ,

of course - SSL is a prereq. But we are talking about how to protect the
data that gets persisted in their back end

Wouldn't RDBMS do this task for you already ? Once data is in your RDBMS
backend, how do I hack into it without a secret key ?

SSL only protects the data while in transit....

DPAPI does no hashing...

that was my own hash that I just added to it.

it only does encryption...be careful when storing DPAPI encrypted data in
a database - as the key is scoped to the machine which did the
encryption..if you loose that key you are in trouble.

Well, no solution is perfect! Would you rather implement machine store than
user store ? I prefer machine store because it is easier to maintain and
secure one machine (server) than multiple machines (clients). Would you ever
lose you home key ?

Well, to get to my machine, it will take great effort from an ace hacker !

John

 

[Dominick Baier [DevelopMentor]]

Hello WJ,

inline

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

Wouldn't RDBMS do this task for you already ? Once data is in your
RDBMS backend, how do I hack into it without a secret key ?

which secret key are you talking about?? are you only thinking of outside
hackers or also insiders?

that was my own hash that I just added to it.

Well, no solution is perfect! Would you rather implement machine store
than user store ? I prefer machine store because it is easier to
maintain and secure one machine (server) than multiple machines
(clients). Would you ever lose you home key ?

well - what will you do if the machine crashes??? do you have a backup of
that key??

 

[WJ]

Hello Dominick Baier,

which secret key are you talking about??

My system password. The admin. password.

are you only thinking of outside hackers or also insiders?

All Dominick. In my shop, I am the only

well - what will you do if the machine crashes??? do you have a backup of
that key??

Backup them up!!! its is your life. I do nighyly backup. I do full system
backup once 1 week. I burned all secret/system stuffs to my CD.

Now back to user store method. How do you secure them ? How can you tell if
a client lost his PC/Key together ?

John