security - How safe is this procedure? -


i'm going use kind of approach store password:

  1. user enters password
  2. application salts password random number
  3. then salted password encrypt encryption algorithm randomly selected array of data (consisting predefined table of chars/bytes)
    • for simplicity can used table of digits, in case of digits random array long enough integer/biginteger.
  4. then store in db salt (modified value) , encrypted array

to check password validity:

  1. getting given password
  2. read salt db , calculate decrypt key
  3. try decrypt encrypted array
  4. if successfull (in mathematical mean) compare decrypted value byte byte
    • does contains chars/bytes known table. instance integer/biginteger? if - password counts valid

what think procedure?

in few words, it's kind of alternative using hash functions...

in approach encryption algorithm used calculation of non-inversible value.

edit

# encrypt/decrypt function works this: key=hash(password) cyphertext = encrypt(plaintext, key) plaintext = decrypt(cyphertext, key)  # encrypting password when entered key=hash(password)+salt or hash(password+salt) array={a1, a2,... ai} some_table=random({array}) encrypted_table = encrypt(some_table, key + salt)  # checking validity decrypt(encrypted_table, password + salt) == some_table if(some_table contains {array} elements) = valid else invalid

the proposed scheme is, @ best, less secure storing hash of password , salt.

this because encryption step adds small constant amount of time checking if each hash value correct; @ same time introduces classes of equivalent hashes, since there multiple possible permutations of array recognised valid.


Comments

Post a Comment

Popular posts from this blog

apache - Add omitted ? to URLs -

i working on website cms reads page name of query string, e.g. http://exmaple.com/?pagename . trying create rewrite rule rewrite ? . so, user types in /pagename , taken /?pagename try this: rewriteengine on rewritecond %{request_filename} !-d rewritecond %{request_filename} !-f rewriterule ^/?(.*) index.php?$1 [l]
Read more

redirect - bbPress Forum - rewrite to wwww.mysite prohibits login -

i using bbpress installation without wordpress integration. the redirect of rewriteengine @ forum site works: rewriteengine on rewritecond %{http_host} ^forum.mysite.com$ rewriterule (.*)$ http://www.forum.mysite.com/$1 [r=301,l] the problem login pppress. bbpress login not recognize: http://www.forum.mysite/bb-login.php . it redirects to: http://forum.mysite.com/bb-login.php . i tried permalink settings none , name based, same issue. does uses redirect in bbpress or how can eliminate "double" content , redirect permanently www.? i redirected www.forum.mysite.com forum.mysite.com , achieved eliminate "double" content.
Read more

php - How can I stop spam on my custom forum/blog? -

so have custom built forum & blog system of late has been dealing lot of spam. if wordpress use akismet, if different common platform i'm sure i'd find plugin. there kind of static class can download this? using php. i'd still go akismet, if it. uses outside of wordpress, may have pay fee it, depending on use -- check terms , conditions -- it's option , easy implement in php using api. use api key wordpress. com account access. basically, grab whichever php client library takes fancy -- use alex potsides' php5 library -- plug in key, , it's handful of lines of code. here's bare bones of validation straight 1 of live sites: ... if ($akismet) { $akismet->setcommentauthor($name); $akismet->setcommentauthoremail($session->userinfo["email"]); $akismet->setcommentauthorurl(""); $akismet->setcommentcontent($sentence);...
Read more