douwu3763 2013-06-02 18:36
浏览 82
已采纳

一些反馈我的密码哈希算法php mysql corona sdk

My site is not in production yet and I wanted some advice on password hashing before I go live and it's hard to change things. In general my site is hosted on EC2 and will use Amazon RDS. I'll have security setup so the only way to access the database is if you're connected to the EC2 machine. My site is not going to store any really sensitive financial data but it will certainly store email address and password and there is a high likelihood I will allow paypal transactions so the user's email address will often also happen to be a paypal address.

Part of the reason I used the hashing algorithm I did was because I am building an app using Corona SDK. I was planning to use similar hashing functions on the client and server. E.g., I could hash the password on the client and then send the hashed password over ssl to the server. As a side note, I will never store the user's password ( hashed or not ) on the client.

General questions

  • If I am allowing users to login through a mobile app, is it better to hash the data and then send it over SSL or is it better to take exactly what users entered and send it over SSL. My concern is whether exposing my hashing algorithms on the client is a really bad idea. Might be better to trust that SSL is secure and send data raw instead.
  • Do you have any suggestions for improving the methods I am using to hash and store data. More details below.

So the general idea is that when a user registers, I create a unique userkey for each user. This key is stored in the db. The email address is encrypted using this key and the password is hashed using the same key. 

$key = mcrypt_create_iv(16, MCRYPT_DEV_URANDOM);

the password hash is created using the following function.

function hash_string($data,$key) {
    $hash = hash_hmac('md5', $data, $key);
    for ($i = 1; $i <= 100; $i++) {
        $data = $hash . $data . $key;
        $hash = hash_hmac('md5', $data, $key);
    }   
    $hash = base64_encode($hash);
    return $hash;
}

the email address is encrypted using the following function

function encrypt_text($key,$string)
{
    $iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB);
    $iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);  
    $encrypttext = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $string, MCRYPT_MODE_ECB, $iv));
    return $encrypttext;
}

I found these functions in various places and I don't know much about security so just wanted some feedback.

  • 写回答

1条回答 默认 最新

  • donglan6777 2013-06-02 18:49
    关注

    You store the key you used for the encryption in the same database as the encrypted information? Then it makes no sense then once someone has access to your database the information as well as the key (henceforth the encryption itself) is useless. Spare the trouble.

    For the password hashing there are lots of discussions about this out, also good answers on SO, you should probably move away from MD5 and use a better salt.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 HFSS 中的 H 场图与 MATLAB 中绘制的 B1 场 部分对应不上
  • ¥15 如何在scanpy上做差异基因和通路富集?
  • ¥20 关于#硬件工程#的问题,请各位专家解答!
  • ¥15 关于#matlab#的问题:期望的系统闭环传递函数为G(s)=wn^2/s^2+2¢wn+wn^2阻尼系数¢=0.707,使系统具有较小的超调量
  • ¥15 FLUENT如何实现在堆积颗粒的上表面加载高斯热源
  • ¥30 截图中的mathematics程序转换成matlab
  • ¥15 动力学代码报错,维度不匹配
  • ¥15 Power query添加列问题
  • ¥50 Kubernetes&Fission&Eleasticsearch
  • ¥15 報錯:Person is not mapped,如何解決?