Is it cryptographically secure?
I am making a chat program for fun and I decided to add encryption. However, I'm new to this, so I'm wondering if this is cryptographically secure and is this a good way to do something?
This is the login:
Start:
Client sends username
If the user exists, the server sends the stored salt for the user
The client then sends the SHA-2 hashed file (Salt + Plaintext password)
The server compares it to the saved hashed salt + password result and if its the same then the user has logged in successfully and from there the encryption is AES.
End
Any mistakes? I don't think there is, but Id hate to go ahead and make a program just to say that encryption doesn't work! Also, who has good links for further reading on cryptography?
source to share
This is unsafe to attack your database / servers and does not actually seem to fit the purpose of using salted hashes. If the client sends back a salted hash instead of their password, then this is essentially the same as their password.
If an attacker compromises your database, they don't need to force a password to login, they just use a salted hash and they can be whoever they want to be.
If you are using SSL, you can send the cleartext password over an encrypted wire and a hash on the server. The attacker would then have to drag and drop the hash or attack the SSL channel.
also use PBKDF2, bcrypt or scrypt as password hashing algorithm instead of SHA-2. You want something that resists brute force attacks.
source to share
The short answer is: "No, and why didn't it happen?" and the long answer is too long and involved. There are too many variables that we do not know to give a good answer: is there a connection between the client and the server? Are you verifying the identity of the server you are connecting to? Etc.
Generally speaking, you shouldn't reinvent the wheel and you should avoid crypto at home. For passwords, consider using scrypt and be happy.
If you want to validate the password the user enters, you can also consider implementing a response validation system, or at least implement some protection against replay attacks. Your current solution is completely insecure as it makes the salted hash itself a password. An attacker who grabs it can log into the account without even knowing the password.
Again, don't invent your own stuff. Use protocols that have been developed and validated by cryptographers and the community at large. Wikipedia is a good place to start your research. Bruce Schneier's Applied Cryptography book is a great resource and every software developer should have it in their library.
source to share
As long as this exchange is over SSL, it should be fine. Also, if you are determined to use a SHA-2 family member, use SHA-512. Today everything is unacceptable.
The protocol you describe is basically standard user / password login + salt swap.
Your best bet would be to do the salting and SHA hashing on the server. Let the user pass their password in plain text over SSL and never discover the salt.
JChatd is an example of peer-to-peer SSL chat.
source to share
I don't understand what you are describing
If the user exists, the server sends the stored salt for the user
What's going here? Password hash?
If so, then there is no security. The idea is that the user provides the password to the client and the client sends an encrypted hash to the server for comparison. If there is a match, the user has been authenticated
source to share