Making hash

 
Gadgets

Authentication
Crypto
ENV
HTTP
Regex
Regex 2
Robots
Snarfs
SSL
Stepper

 		We'll build this system using the Apache-Jakarta's Tomcat servlet runner and a MySQL database. Both are free, open-source and capable enough for our ends.

The first requirement is password security. We'll store passwords with login names and other user data in a MySQL table. But we want to secure the passwords so any crackers who manage to break into the system -- or dishonest system administrators -- will have a hard time recovering them. The best way to do this is through a one-way hashing algorithm, which takes arbitrary plaintext input and generates a fixed-length hexadecimal string.

SHA-1, or Secure Hashing Algorithm, does a pretty good job and will generate a unique hash with near certainty from any given password. When we first obtain a user's password, we run it through an SHA-1 method and store the resulting 160-bit hash as a 40-character string of hexadecimal numbers. Then, on each subsequent login, we run the user's input through the same hashing algorithm and compare the result to that stored in the database. This way, no one but the user ever knows the password (hopefully).

While no one is known to have ever developed a computational way to reverse an SHA-1 hash, many black hats have compiled MD5 and SHA-1 hashes of commonly used passwords like "god," "password", "opensesame" and the like. In fact, a million compiled hashes take less than 20 megabytes of space, so a CD of compiled password guesses can be easily developed. Using this, in a so-called "dictionary attack," a cracker could run his CD hashes against those in your database until he found a match.

One way to subvert this is to "salt" the password with two bytes of random data before hashing it. Then store the salt either on the end or the front of the stored hash. This makes the pre-compiled CD of hashes useless. The black hat could still use his dictionary of a million or more passwords as the basis for an attack, but he will need to regenerate each hash with the salt value on each password attempt.

OK, now for some real code.


<< Back  Next >>




Home | Gadgets | Code | Links | Reads | Contact

Copyright © 1999, 2001, 2002 by John H. Byrd
All rights reserved.