#1
  1. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2013
    Posts
    425
    Rep Power
    8

    Rsa


    what if you would make a RSA coding system and use it ? (if you are so good that there would be no gap in the code etc.)
  2. #2
  3. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,957
    Rep Power
    1046
    @derplumo: What's an "RSA coding system"? Are you talking about public-key cryptography? What do you wanna do?
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  4. #3
  5. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2013
    Posts
    425
    Rep Power
    8
    well, RSA is for example used by credit cards, and yes, it uses a public key, and a secret key. but i think it is not easy yet not difficult to make... but there will always (in my case) be a fault in the code... i can try to make one if you want
  6. #4
  7. Sarcky
    Devshed Supreme Being (6500+ posts)

    Join Date
    Oct 2006
    Location
    Pennsylvania, USA
    Posts
    10,871
    Rep Power
    6351
    RSA (and other encryption schemes) are for encryption. Logins do not use encryption. All encryption can be reversed, that's what it's for. Password hashing should be impossible to reverse.
    HEY! YOU! Read the New User Guide and Forum Rules

    "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin

    "The greatest tragedy of this changing society is that people who never knew what it was like before will simply assume that this is the way things are supposed to be." -2600 Magazine, Fall 2002

    Think we're being rude? Maybe you asked a bad question or you're a Help Vampire. Trying to argue intelligently? Please read this.
  8. #5
  9. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,957
    Rep Power
    1046
    The question is: What's your goal? What are you trying to achieve?

    The RSA algorithm is a tool. You use it to solve specific problems. So what is this problem you wanna solve?

    I mean, just because "RSA" sounds fancy and is "used by credit cards" won't make your system more secure.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  10. #6
  11. Sarcky
    Devshed Supreme Being (6500+ posts)

    Join Date
    Oct 2006
    Location
    Pennsylvania, USA
    Posts
    10,871
    Rep Power
    6351
    Thread split.
    HEY! YOU! Read the New User Guide and Forum Rules

    "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin

    "The greatest tragedy of this changing society is that people who never knew what it was like before will simply assume that this is the way things are supposed to be." -2600 Magazine, Fall 2002

    Think we're being rude? Maybe you asked a bad question or you're a Help Vampire. Trying to argue intelligently? Please read this.
  12. #7
  13. No Profile Picture
    Lost in code
    Devshed Supreme Being (6500+ posts)

    Join Date
    Dec 2004
    Posts
    8,317
    Rep Power
    7170
    RSA keys are commonly used for authentication, although RSA by itself is not an authentication algorithm.
    PHP FAQ

    Originally Posted by Spad
    Ah USB, the only rectangular connector where you have to make 3 attempts before you get it the right way around
  14. #8
  15. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2013
    Posts
    425
    Rep Power
    8
    but hashing (previous threat) is used to "key" the password the user entered, but if you use RSA, you can use the public key to encrypt the password. maybe it could work, and you know https? it is also secured by this system... but i read that hashing the password and then sending it as the password doesn't work, but how do you use it then?
  16. #9
  17. Sarcky
    Devshed Supreme Being (6500+ posts)

    Join Date
    Oct 2006
    Location
    Pennsylvania, USA
    Posts
    10,871
    Rep Power
    6351
    Hashing isn't the key, hashing is one-way and prevents the database from being usable by an attacker even if your server is compromised.

    If you encrypt your data with RSA, and an attacker gets access to your system, he will have access to your data and your private key, making it easy to get your actual data (passwords, in this case).

    If your data is hashed, and an attacker gets access to your code and your database, all he'll know is that nobody can crack these passwords because they're hashed.
    HEY! YOU! Read the New User Guide and Forum Rules

    "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin

    "The greatest tragedy of this changing society is that people who never knew what it was like before will simply assume that this is the way things are supposed to be." -2600 Magazine, Fall 2002

    Think we're being rude? Maybe you asked a bad question or you're a Help Vampire. Trying to argue intelligently? Please read this.
  18. #10
  19. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2013
    Posts
    425
    Rep Power
    8
    Originally Posted by ManiacDan
    Hashing isn't the key, hashing is one-way and prevents the database from being usable by an attacker even if your server is compromised.

    If you encrypt your data with RSA, and an attacker gets access to your system, he will have access to your data and your private key, making it easy to get your actual data (passwords, in this case).

    If your data is hashed, and an attacker gets access to your code and your database, all he'll know is that nobody can crack these passwords because they're hashed.
    ok thanks for the info
  20. #11
  21. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,957
    Rep Power
    1046
    I think there's a deeper misunderstanding:

    As I already tried to explain earlier, every algorithm and every security protocol is a tool made for a specific purpose. Just like literal tools: When you wanna drive a nail into the wall, you get a hammer. When you need to cut a tree, you get a saw. But a saw won't help you with your nails, even if you've seen your neighbours using it in their garden.

    This is obvious, but when it comes to security, many people don't understand this. Hashing, encryption, RSA or whatever are no magical protection. I mean, you see that in a lot of PHP scripts: Whenever somebody thinks they need security, they'll probably start adding a bit of MD5, a bit of SHA-256, and maybe a bit of encryption. No. That's not how it works. It's like trying to pound a nail with a saw, a screwdriver and pliers at the same time. This may look like you're doing a lot of work, but you won't actually achieve anything.

    You need to define your goal, and then you need to find the right tool for the job.

    OK, so you wanna store your passwords in a secure way, that is, you wanna be able to use them for authentication, but you don't want others to be able to retrieve them. Do you need to retrieve them yourself? No! Then encryption does not help you. You're still trying to hit the nail with your saw.

    RSA will help you even less, because it's asymmetric encryption designed for sending secret messages to another party without having to exchange a shared key first. You don't have that. Your public and private key would reside on the same server, which is just nonsense and does nothing but keep your CPU busy (asymmetric encryption is expensive).

    The solution to your problem is a hash algorithm with a random prefix for every input (called "salt") and a variable cost factor. A common algorithm is bcrypt. And -- hold your breath -- there's even a solid PHP implementation:

    https://github.com/ircmaxell/password_compat

    Note that MD5, SHA-256 etc. are no solution, because they still allow the password to be retrieved with brute force.

    See how that approach is different from "let's add some RSA"? I defined a goal, then I chose the appropriate tool, and then I chose an established library from somebody who knows what he's doing.

    When it comes to security, don't try to be innovative, don't try to outsmart everybody. If you come up with an idea and don't see it being used, that's not because you're the first to think about it. It's because it doesn't work -- for whatever reason.

    The highest password security you'll currently get is by using bcrypt (or maybe scrypt in the future). Anything else is not secure of even utter nonsense.

    To be exact: There is in fact an authentication scheme using public-key cryptography. But it's not feasible on a public website. And even if you did use it, you'd never write your own PHP implementation.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".

IMN logo majestic logo threadwatch logo seochat tools logo