douwu3763 2013-06-02 18:36
浏览 82
已采纳

一些反馈我的密码哈希算法php mysql corona sdk

My site is not in production yet and I wanted some advice on password hashing before I go live and it's hard to change things. In general my site is hosted on EC2 and will use Amazon RDS. I'll have security setup so the only way to access the database is if you're connected to the EC2 machine. My site is not going to store any really sensitive financial data but it will certainly store email address and password and there is a high likelihood I will allow paypal transactions so the user's email address will often also happen to be a paypal address.

Part of the reason I used the hashing algorithm I did was because I am building an app using Corona SDK. I was planning to use similar hashing functions on the client and server. E.g., I could hash the password on the client and then send the hashed password over ssl to the server. As a side note, I will never store the user's password ( hashed or not ) on the client.

General questions

  • If I am allowing users to login through a mobile app, is it better to hash the data and then send it over SSL or is it better to take exactly what users entered and send it over SSL. My concern is whether exposing my hashing algorithms on the client is a really bad idea. Might be better to trust that SSL is secure and send data raw instead.
  • Do you have any suggestions for improving the methods I am using to hash and store data. More details below.

So the general idea is that when a user registers, I create a unique userkey for each user. This key is stored in the db. The email address is encrypted using this key and the password is hashed using the same key. 

$key = mcrypt_create_iv(16, MCRYPT_DEV_URANDOM);

the password hash is created using the following function.

function hash_string($data,$key) {
    $hash = hash_hmac('md5', $data, $key);
    for ($i = 1; $i <= 100; $i++) {
        $data = $hash . $data . $key;
        $hash = hash_hmac('md5', $data, $key);
    }   
    $hash = base64_encode($hash);
    return $hash;
}

the email address is encrypted using the following function

function encrypt_text($key,$string)
{
    $iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB);
    $iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);  
    $encrypttext = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $string, MCRYPT_MODE_ECB, $iv));
    return $encrypttext;
}

I found these functions in various places and I don't know much about security so just wanted some feedback.

  • 写回答

1条回答 默认 最新

  • donglan6777 2013-06-02 18:49
    关注

    You store the key you used for the encryption in the same database as the encrypted information? Then it makes no sense then once someone has access to your database the information as well as the key (henceforth the encryption itself) is useless. Spare the trouble.

    For the password hashing there are lots of discussions about this out, also good answers on SO, you should probably move away from MD5 and use a better salt.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 #MATLAB仿真#车辆换道路径规划
  • ¥15 java 操作 elasticsearch 8.1 实现 索引的重建
  • ¥15 数据可视化Python
  • ¥15 要给毕业设计添加扫码登录的功能!!有偿
  • ¥15 kafka 分区副本增加会导致消息丢失或者不可用吗?
  • ¥15 微信公众号自制会员卡没有收款渠道啊
  • ¥100 Jenkins自动化部署—悬赏100元
  • ¥15 关于#python#的问题:求帮写python代码
  • ¥20 MATLAB画图图形出现上下震荡的线条
  • ¥15 关于#windows#的问题:怎么用WIN 11系统的电脑 克隆WIN NT3.51-4.0系统的硬盘