I know there was question like this million times, but I was unable to find answer that will fit my needs.
I'm building something like small internal password manager for my company, to store login data for various servers and so on.
When new user is registered, his password will be saved in database in salted/hashed version so no one can get access to it (and for that part I think it's all ok, correct me if I'm wrong).
But then, when user is logged in, he is able to add new server with it's login details.
Question is, how to store those.
Because, at some point, I have to present this login details to user in plain text (that is whole point of this application).
Best I could came up with is using some kind of symmetric encryption.
Idea is that app will crypt login details with symmetric encryption and save it in that way into database, and then when data is needed once again will extract data from database, decrypt it with same key and present to user (and key should be in source code of application?).
It could be asymmetric encryption but it's the same if public and private key are stored in same source code, then there is no any benefit of using it?
That doesn't seem too secure, but I can't think of anything better.
Is there any better way to do this, to store this login data?
If it's important to you, application will be in PHP and database is Oracle
I would just use symmetric encryption. The standard steps are:
Derive a symmetric key from a user-supplied password (e.g. PBKDF2 or scrypt)
Encrypt the data using AES-128-CBC or better with a good random IV
HMAC the result (e.g. HMAC_SHA256) or just use AES GCM mode
Store IV+ciphertext+MAC in the database.
This can all run in a browser these days (see crypto-js and aes-js). That way the server never gets to see the plaintext password (not sure if this is a requirement).
The MAC can also serve as a password hash, i.e. if the MAC validation fails, then it means the supplied password is incorrect.
Related
There are so many articles on stack-overflow and security.stackexchange on storing encryption keys, but I am still confused, so that's why I decided to ask again here.
Basically, I am creating an Email client for education purpose, in that Users can create account where they enter there Email-ID and Password. I am looking for secure way to save the information.
I will be
Encrypting the Email-ID and Password
and storing the encryption key on the user PC because I don't want the user to type in password every time he sends and Email
From reading I have understood that,
I need to store the encryption key in a separate location, so that it will be difficult to find by an hacker, But the problem here is that my application is written in Python and it will be open source application, so hacker can view the source code and get the path of the directory where the key is stored.
Second solution is that I can have a master password which will be used as a key, when the user opens the application for the first time after starting the computer, the application will ask for the master password, then I can store the key in RAM.
Looking at all the articles on internet on this topic this is a repetition, but I am sill learning to make applications and for the last two days I going in a loop with no success.
OS: Linux Ubuntu 14.04
Programming Language/Framework: Python/Gtk+
Your understanding is correct.
It's impossible to prevent a attacker with access to the local key from accessing the password. Obscuring the path where it is stored provides virtually zero additional security - any attacker with the know-how necessary to perform the decryption will easily bypass such a mechanism.
The only secure way to do this is storing the key (or a key to the key) out of the computer - in the user's mind, in the case of the master password mechanism.
If you end up using a master password, don't forget to use a proper key derivation function, ideally with a key-stretching mechanism, such as PBKDF2 or bcrypt. Never use a password as a key directly (or even a simple hash of the password.
I'm asking at a purely abstract level (no code required).
Some data is to be stored on a web-server/database on behalf of a user. The data is encrypted using the user's password as the key, ensuring that if the server or database is compromised, it is relatively useless to the attacker.
The problem is that the standard process of resetting a user's password (sending them a link with a token) won't work, because there is no way to decrypt and re-encrypt the data without knowing the previous password.
Are there any other ways around this?
When you say that you are willing to reset the password using some piece of automated authentication, then what you're really saying is that there are two passwords: the "normal" password and the "authentication" password. The solution to your problem is to encrypt the file using a random key and then encrypt the key using each of the passwords.
As a concrete example:
User provides a password "Aw3som1"
User also provides his high school mascot: "the Chipmunks"
Just to make it really complete, let's assume your authentication scheme is very forgiving like many are. You would accept just "chipmunks" (or "CHIPMUNKS" or maybe even "chipmunk") rather than "the Chipmunks." But whatever it is, your scheme must be deterministic. Every possible answer you will accept must resolve to the same hash. In this case, I'm going to assume that you lowercase the security answer, remove articles, and reduce to singular if it's plural. Then you prepend the class of question. So your secondary password is something like "mascot:chipmunk".
You now make up a random 16-bytes and use that key to encrypt the data. You then use normal password-based encryption techniques (e.g. PBKDF2) to encrypt the key with each of your passwords above. Then you throw away the key and the passwords.
When you need to do a reset, decrypt the real key with the provided password ("mascot:chipmunk") and re-encrypt the key with the new password (and "mascot:chipmunk" again).
The one usability issue is that a password reset invalidates all the other security answers, and the user must reconfigure them all. If that's a problem, you could put all the security answers into a bundle and encrypt that using the same technique as the data. (i.e. the security answers are encrypted against all of the security answers.)
This approach of course creates two (or more) passwords that can unlock the data, and so dramatically drops brute-force search time. You should consider that when scaling things. That said, your safety margins should generally be several orders of magnitude, so even a few passwords should be workable for many situations. Remember also that the security questions live in a tiny key space, particularly things like "mascot" or "make of car" which probably only have a few dozen likely values (unless you went to my high school which had a truly bizarre mascot…) That just means that aggressively tuning PBKDF2 is even more important.
Of course the existence of any kind of password reset system is going to make targeted attacks much easier. But that's true no matter how you implement the encryption.
But what if there isn't even a security question? What if you'll reset the password based on an email address alone? Well, then the email address is the password. That's problematic in the face of a stolen database, and it's hard to fix because there is no real secret (and encryption requires a secret). But all is not completely lost. One thing you can do is to never include the actual email address in the database. Think of the email address as a password (since it is in this case). Store a hash. You can't use a random salt on it, but you could still use some single salt for the whole database.
So my email is test#example.com. You treat that as a password, salt it with "mygreatservice" and run it through PBKDF2. To login, just treat it like a password again.
An attacker, though, has to guess email addresses one at a time. That's not incredibly hard, but he can't just decrypt the entire database in one go, and he'll never get the data from emails he doesn't guess. (And you did choose a really easy reset mechanism.)
Why do you need to un-encrypt the password? If they have forgotten then you will have to verify them based on the fact they had access to the email account where the reset token was sent. Ideally you would include some other form of question/proof of identity on the reset page like a secret question.
Also, you're best not storing the password using reversible encryption but instead using a strong salted hash which is one way.
We have a typical web-based login system. We want customers to have the ability to generate a "login link" that doesn't ever expire and includes their password.
We want to therefore create a link which includes their password in encrypted form.
NOTE: I know the best way is a lookup table where each link has a unique key... I won't go into why that won't work for us; it won't.
I'm not familiar with public key encryption.. Maybe that's what I need?
Here's what I'm thinking. This still might not be enough, so please let me know:
Definition: user-password refers to the user's password that we want in encrypted form in the link.
We cannot use one encryption key for all user-passwords because it may be possible to derive the encryption key by generating tons of links, so...
Use a standard form of symmetric encryption.
The server has a text file with 1000 complex encryption keys.
When a link is generated (using the PHP script that has that list), one of the 1000 encyption keys is chosen to encrypt their plaintext password (chosen in sequence, not at random to prevent the same from being chosen close to the same time).
Before encrypting the user's password, add something like "s345lm34l5k342342343534432324sdfs" to the start of it, to "salt" it. (Ex: password1 becomes s345lm34l5k342342343534432324sdfspassword1). "Salting" makes it harder to decrypt against dictionary attacks. This salt is kept private. But, of course, there's the risk it can be compromised and it's one salt for all passwords, so...
In addition, there's a second randomly generated salt added to the password. This salt is encrypted with a single strong password. Because both the salt and the password encrypting it is a random pattern of bytes, it makes it harder to determine the salt.
The link maker tool only lets you generate 15 links every 10 minutes, and then locks out the IP.
The link maker tool doesn't not generate links unless the user/password provided to it is actual a functioning user/password combination. That way, if someone is just try to generate links to determine the encryption info, it won't work. Still, theoretically, they could obtain a valid user/password and try to brute force.
Is this secure?
No, because the encrypted password has become the password. Have you tried SSL? SSL should solve your problems, you can just use a plain URL on HTTP level.
An organization I work for has a few different websites they use on a daily basis. I've been asked to develop a web application (using ASP.NET) that can access/synthesize information from these and display it in one location. Unfortunately, one of the websites does not support OAuth or anything similar, so I need to store their login credentials in a database.
My first thought was to use their credentials for my site as a key to encrypt their credentials for the remote site. For example: Bob logs in to my website with the password hunter2. Using that password, I decrypt Bob's credentials for www.example.com and log in as Bob there. Since I don't need to access example.com unless Bob is on my site, I can discard the decrypted credentials once he's done.
My assumption that simply using hunter2 (or whatever Bob's password is) isn't enough and that there is a "standard" way that I haven't been able to find on Google or Stack Overflow.
If you can't avoid storing the passwords on the server, then encrypting with the user's "master" password (e.g. "hunter2") is your best bet. No other approach offers protection in the event that the server is compromised. Now... how much protection you get hinges entirely on the complexity of the user's master password. I'll offer my analysis of the security of this scheme at the end, but before that, let me review the pitfalls to avoid.
First—and I assume that you already know this, but—you must not store the user's master password anywhere. Ok, with assumptions out of the way...
Do not use the user's actual password as the key to the encryption function.
Consider what would be possible if you did: what if an attacker managed to download your entire users table, complete with encrypted example.com passwords? We all know that user chosen passwords are easy to guess. What would stop the attacker from repeatedly decrypting the encrypted example.com password, trying 40 million commonly used passwords as the key, discarding any result that doesn't look like a password (that is, the decrypted result does not appear in the wordlist)? AES is designed to be fast. While not an apples to apples comparison, a sense of the speed of AES should be imparted when you consider that an encrypted version of the aforementioned 500mb wordlist could be decrypted in about one second on modern hardware. Worse yet, the attacker would not only get the example.com password, they would also have the key used for encryption, or in other words, the user's master password!
That, in a nutshell, is why you need to use a key derivation function (KDF). A KDF will ideally protect you in three ways:
Require a non-trivial amount of time to compute each key. A user can wait one second for the server to turn their password into a key. An attacker may be less inclined to wait 40,000,000 seconds—see analysis below.
Salt the password. Without salt, an attacker could brute-force the entire users table in one pass, not to mention make a space-time tradeoff.
Prevent recovery of the master password, even if the attacker recovers the encryption key.
One such KDF that provides all three is PBKDF2. Conveniently, there is an implementation built in to .NET:
public static byte[] DeriveKey(int keyBitSize, string password, byte[] salt) {
const int iterations = 1<<12; // Once set, any change will break decryption.
using (var kdf = new Rfc2898DeriveBytes(password, salt, iterations)) {
return kdf.GetBytes(keyBitSize);
}
}
Analysis
40 million seconds is less than 500 days. Since wordlists are usually ordered with the most commonly used passwords first, the attacker has a good chance of finding the password in significantly less than half the time it takes to try the entire wordlist. As a final wrinkle, it is possible to try keys in parallel: a 500-node botnet could try the entire wordlist in a day.
That's the problem with relying on the user's password for encryption security. You can choose to accept this risk or you can decide not to store the user's password on the server. If you decide to store encrypted passwords on the server, you can mitigate the risk by increasing the complexity requirements for the user's master password.
Whatever approach you take will have issues that will leave you doubting yourself. You need to balance the solutions against your environment & see what best fits.
Will each user of your app have an account on the remote system? How are users authenticated by your system? Will your app run in a trusted environment (eg corporate network).
I wrote a similar app to front an internal system that had it's own username & passwords. My app used Windows Integrated auth to figure out who the user was. it then asked for their password to the remote system & encrypted that value using a hard-coded key & stored the value in the DB. It could then retrieve the value, decrypt it & supply it to the remote system when needed.
Now in a non-trusted environment, someone could obtain my binaries & work out what they key was & get all the passwords. That would be bad. But on a corporate network, if they did that, they should come & work for me.
You already have access to the user's clear-text secondary passwords, so regardless of whether or not you throw away the encryption key, you're still responsible for their safety when it is in the clear. Keep that in mind when you handle the passwords.
If you use the user's own password to encrypt, you are reducing the strength of all their secondary passwords to the strength of the primary one. This is probably bad since a) user passwords are notoriously weak already (I know, why do we even bother in the first place?) and b) even with the strongest of passwords, it still won't match the strength of a solidly random 256 bit AES key.
My suggestion is to consider having a single AES key that encrypts their clear-text secondary passwords. Then, guard the AES key well. It may make sense, instead to have a root AES key that encrypts many sub-keys, one for each user. You'll have to do a risk analysis, I suppose.
I am very new to web application (ASP.NET). I have source code and database for a complete project.
ASP.NET (Authentication) control is used for login. I don't know the password right now but i can get the login name and password in encrypt format from the database table.
How could I login to the application with only this little information available.
As the control are dynamically created on the pages, it is very hard to debug and find them on runtime.
How could i proceed for login by encrypted password? or is there a way to login by overcoming Authentication control.
The password is probably SHA1 encrypted. Basically what you have to do is SHA1 encrypt the password the user gives you and compare that to the password in your database. Because SHA1 always results to the same thing if the input is the same, you will know that the users given password is correct if both hashes match.
SHA1 encryption is a form of hashing and cannot be reversed.
No, hashed passwords in the database are non-reversible intentionally. This keeps anyone (a hacker?) from reading your database and being able to log in.
As Sam152 said, the passwords are likely SHA1 hashed, so if the passwords are not stored with salt, you can build a rainbow table to find the original password. If they are salted, you need to know the salt to build the rainbow table as well.
You could try implementing custom MembershipProvider by derriving from this class. Then you just override method ValidateUser to meet your requirements. Also remember to modify Web.config.
The point of hashed passwords is that a they can't be used by folks not knowing the decrypted password.
There should be a way to reset the password for users. You could do this and log in based on the reset password.
If you are trying to log in to an active user's account, you may want to consider the implications in doing so without their knowledge (if that is the case). However, if it is just a test user, reseting the password is probably the least cumbersome way. That functionality or procedure should probably be part of web app anyway.
If it's the standard ASP.NET membership stuff, I think it uses a stored proc to check the DB. Just change that and have it return true or whatever.
Adding to the above answers SHA1 encryption output is 40 byte. You should check the length of the encrypted password to get an idea about the kind of encryption..since hash algorithm has predefined no of output bytes, this would help you map with the kind of algorithm and then you should look for possibile salt usage as #MattGWagner said...is the tables in database that stores user information seems like aspnet_users,aspnet_membership, etc? Then this should be the standard authentication provided by windows..Just google and see how it works