What is the KEY used in frameworks for?

Asked

Viewed 265 times

-1

Generally, when I see systems that have been made without the use of frameworks, there is no use of keys.

However, all the frameworks I have used to date, all of them you need to define a key (key) for your application, for it to work.

An example of this is the Laravel, where you have a configuration similar to this:

  /*
    |--------------------------------------------------------------------------
    | Encryption Key
    |--------------------------------------------------------------------------
    |
    | This key is used by the Illuminate encrypter service and should be set
    | to a random, 32 character string, otherwise these encrypted strings
    | will not be safe. Please do this before deploying an application!
    |
    */

    'key' => 'A5CNJaYsFnpC9jpkbAk1nOI1ETUBsJOP',

What is the point of key generally used in frameworks?

This is related to some security scheme?

security-guard framework
  • 2

    Hatters gonna Hatters :p

  • This also refers to APP_KEY? If it was I was going to ask you these days about this too, I even researched it, but from the answers I got on the Laravel forum I realized it’s always very comprehensive, what I got was something like App Key is used for all Encrypted data, like Sessions., but I could not understand how to do this in practice without Aravel to understand the functioning :/

1 answer

2

Is used to SALT hashing in PHP

The Laravel works on library password_hashfor generating keys protected in passwords.

Check out:

Illuminate\Hashing\BcryptHasher line 30

    public function make($value, array $options = [])
    {
        $cost = isset($options['rounds']) ? $options['rounds'] : $this->rounds;

        $hash = password_hash($value, PASSWORD_BCRYPT, ['cost' => $cost]);

        if ($hash === false) {
            throw new RuntimeException('Bcrypt hashing not supported.');
        }

        return $hash;
    }

This random combination will be the salt for hash generation. Each KEY will always generate a different hash. This prevents them from breaking into your bank and discovering your customers' password. Since in this example you will only have access to the password hash, which is a single-hand hash.

Never let them have access to this key, because it is linked directly to the hashing of your passwords.

But what do you mean? Hashing? Salt? Cost?

Come on, I’m no expert in this sector but I’ll try to help you.

Hashing

Hashing is the method of "hiding" the password or some other "intruder" text. Let’s take for example:

Look at this string:

$2y$10$ZxqbuwvAYAGvhQgl0C9Kh.q.UWCdL1eQg4SMqbrfbvnjX4rOl2AcW

Can you tell what her real value is?

This string is a hash of a password, which in this case is: 102030

My application, with a single SALT generated this string as 102030.

This means password hash 102030 in my application will be the same as yours? No, never. Because KEYS(SALT) are unique.

Salt

salt - to Manually provide a salt to use when hashing the password. Note that this will override and Prevent a salt from being Automatically generated.

Salt is a character combination that will be used as a "key" to hash your strings.

Cost

cost - which denotes the algorithmic cost that should be used. Examples of These values can be found on the crypt() page.

Cost is what the word already says: Cost. When of cost will this hashing have for the processor to be processed? Remembering that: The higher the cost, the lower the chance of someone doing Brute force Attack in your application, BUT your processor will have more work every time someone is typing the password.

Ok, but and how application knows that the user typed the correct password being that it is all "encrypted"?

By comparison method, young.

Let’s start from the example that a password is generated over KEY x with COST 10.

If the user enters password 102030 ALWAYS equal strings will be generated as the key has not changed nor the cost.

So watch out for the KEY of its application, it is important for this safety factor. If anyone finds out you are closer to finding out the passwords in your bank, or if you change it all the passwords in your bank will be invalid.

Correction

Laravel does not use SALT to generate passwords, but uses it for library Encryption which is defined as the key in EncryptionServiceProvider Otherwise it’s the same ideology.

  • I don’t know if that’s it... There’s nothing in the code capturing information from app.key

  • 1

    @Wallacemaxters EncryptionServiceProvider in Register defines the config key. Just look at the dependency Encryption

  • I’ll check there. I looked and only had the new Instance with nothing... You’re talking about what’s in the app?

  • I understood what you said. But it seems that the Aravel separated Encriptação on the one hand and Hash of another. That I know Hash is used in the password, the encryption is used for you to send encrypted messages and tals (The Laravel has an example of this). I think it is not true that it is used in Salts (with password_hash), because I already changed the key and that didn’t stop the passwords from working. Because logically, if you change salt, you complicate previously saved passwords with another salt.

  • So much so that you can observe that in the first example the class Hash does not use anything from key. And if you look at the source code, will see that the Serviceprovider does not use the key. Only in the case of Encrypter, but in the Hash nay...

  • +1 The answer is mui buena

  • @Wallacemaxters read the updated post.

Show 2 more comments

Browser other questions tagged security-guard framework

You are not signed in. Login or sign up in order to post.