Password encryption in login

Asked

Viewed 1,168 times

0

I need to create a way to encrypt my password in my system login, because I haven’t implemented this security yet and I don’t have much idea how to do this.

So how could I create this encryption and compare it to login time and see if it’s right ? That is, create that hash to confuse the attacker (if I have a person using the While Shark to try to intercept my password) ?

What is the best form (base 64,MD5, RSA, among other forms) ?

Here is the code of mine controller what use to log in and compare login and password in the bank:

Autenticacaocontroller

 [HttpPost]
    public ActionResult Index(String Login, String Senha)
    {
        //verificando login pelo usuario do banco de dados ...
        Usuario login = db.Usuarios.Where(x => x.Login == Login && x.Senha == Senha).FirstOrDefault();
        if (login != null)
        {
            FormsAuthentication.SetAuthCookie(login.Nome.ToString(), false);
            Session.Add(".PermissionCookie", login.Perfil);
            Session.Add("UsuarioID", login.UsuarioID);
            return RedirectToAction("Index", "Home"); //pagina padrao para todos os usuarios...
        }
        return RedirectToAction("Index");
       
    }
asp.net-mvc-5 authentication cryptography

  • In that question You’ll find all the information you need. In short, do not use a reversible form (base 64 is a simple data encoding, nor is it encryption), nor a fast hash (type MD5). Never heard of HSA, what’s it about? By the way, the hash function is not to prevent someone from "intercepting" your password - so protect your communication (i.e. use SSL/TLS/HTTPS) - but to prevent someone who has already obtained a copy of the database (via another attack) from discovering all passwords and logging in.

  • @mgibsonbr RSA, pardon the mistake, I did the question quickly or I paid attention to it, but I will edit here to leave it straight! And thank you so much for the comment. I just want to prevent someone from using while Shark and being able to see the right password. I want to do exactly what you said.

  • Blz. RSA, being reversible encryption, also does not serve to protect the password (if the attacker has a copy of the BD, he also has the key copy, so he can decrypt the password). The hash, on the other hand, cannot "undo", even if you have access to everything - the only thing left is in the login to hash again and compare the results. Again, the linked question has more complete information.

  • But you understand C# so I can get an idea of how to implement this encryption ? I’ll read the question you linked as soon as I can. I took a quick look and saw that you have some information.

  • 1

    For PBKDF2 you can use Rfc2898DeriveBytes which is part of . Net itself (the example of use in the documentation is half bad, try this in the OWASP). For Bcrypt there is the Bcrypt.Net, and for scrypt have some suggestions that question in Soen.

1 answer

0


Each of these algorithms has a different purpose, so to protect the password it is interesting to use them at different times.

For example, to protect the password from a man-in-the-Middle attack, it is important to use SSL, which basically uses RSA.

Now to store the password in the Database, it is interesting to use AES or SHA.

If you choose to use AES, you have the combination of the Rijndael algorithm with 256-bit blocks and keys.

Another option is to use a Hash algorithm, in this case give preference to SHA-2, SHA-3 or BLAKE2, in this case I would advise the use of BLAKE2.

In both cases it is interesting to use a Salt, I would advise a Random and Single Guid for each password.

  • Thanks for the @Tobymosque reply. Would you have code examples or link examples so I can trace a north on how to do this ?

  • For BLAKE2 you can look at the following site https://blake2.net, here you will find the implementation and examples for various languages. As for the SHA-3 you just need to do a quick search on nugets. In the case of SHA2 and AES, they are already implemented within the Framework, you can examples on the following sites: http://adventuresindevelopment.com/2009/06/02/hash-passwords-in-c-andvisual-basic-using-sha-512/ and http://www.codeproject.com/Tips/704372/How-to-use-Rijndael-Managedencryption-with-Csharp. And as for Salt, it’s basically putting in additional bytes before encrypting.

  • Putz @Tobymosque was worth too much !

  • BLAKE2 was designed to be quick, but for a hash to be useful in password protection it must necessarily be slow. The SHA-3, as far as I know, offers this option of "programmable slowness", but all the others you mentioned did not. AES/Rijndael (are +/- the same thing) is also not used to store the password safely (where would you store the key? in a hardware module?), because if your server can decrypt the attacker can also... Finally, SSL can use RSA yes (this part of the answer is correct), but it can also use other algorithms such as Elliptic Curves.

  • P.S. In the very BLAKE2 FAQ it explicitly says: "You must not use *any* general-purpose hash function for user passwords, nor BLAKE2, nor MD5, SHA-1, SHA-256, or SHA-3. Instead you should use a password-based key derivation function such as PBKDF2 or scrypt with an appropriate number of iterations in order to slow the hashing process, thus mitigating the risk of brute force attacks."

  • 1

    @mgibsonbr, thanks for the comments, really "PBKDF2 + Hash" would be the best option.

Show 1 more comment

Browser other questions tagged asp.net-mvc-5 authentication cryptography

You are not signed in. Login or sign up in order to post.