Clever Geek Handbook

Secure way to store decrypted passwords in ruby

I want to store some keys encrypted in a database securely. At the same time, I need to use the unencrypted (original) form of the keys somewhere in my code. I was planning on using PBKDF2 for hashing PBKDF2 passwords . Is it possible to decrypt the key stored in the database encrypted using PBKDF2. Or are there simple and safe procedures?

+3


source to share


3 answers


Passwords and secret keys are usually stored in hashed form. This means they are processed by a hash function before being stored in the database. A good hash function like bcrypt has the following properties:

  • it produces the same output for the same input
  • it produces very different outputs for different inputs
  • its output is no different from random
  • not reversible

The last property is very important for security: when someone gains access to the database, they cannot recover the original keys, because the hash function is not reversible, especially when the hash is salted so that attackers do not use rainbow tables.

This means that if you want to recover the keys later, you must save them in an encrypted (not hashed) form. The encryption function has similar properties like a hash function, with the key difference that it is actually reversible. For this step of decryption, you need a key that you need to store somewhere.



You can store the key in your application configuration, but this will mean that if someone gains access to your server, they can retrieve the encryption key and decrypt all stored keys.

I propose an alternative approach that will only allow users to retrieve their own stored keys. It is based on the idea that keys are encrypted using the user's password, which only the user knows. Whenever you need to perform an action that needs to save or retrieve keys, the user is prompted for a password. Thus, neither you nor an attacker can recover them, but your program can access them if the user allows it by entering their password.

  • Store the conditionally hashed password of the user in a database for example. using bcrypt
  • Allow users to store an additional password in the following procedure:
    • Prompt for user password and storage keys
    • Password hash and comparison with database for authentication
    • Generate salt for each key entered
    • Use user-entered password and salt to encrypt storage keys eg. with AES encryption
    • Store salt and encrypted keys in a database
  • To get the stored keys in an action that requires them in text form:
    • User password request
    • Password hash and comparison with database for authentication
    • Get encrypted keys and salt from database
    • Decrypt stored keys using user password and salt.

Be careful to remove user passwords from the application log; -)

+6


source


Passwords are never stored in the database in any way that people can decrypt them later. There is no guarantee that someone will not break into your database tables and steal everything you have saved.

If you store an encrypted (hashed) password for each user, even if your database is compromised, it will take a long time for those who stole your decrypted passwords to find out the actual passwords. They can always use the same encryption and compare the resulting hash of common passwords. For example, they can encrypt "MyPassword123" and then compare this hashed password against every password in your database. Weak passwords can still be guessed using this pattern.



So even non-decrypted passwords have their drawbacks, but if you allow someone to decrypt what you store, then it is basically very easy for them to get each of your user passwords. Very bad practice. Some of the largest and most "secure" companies have their own saved hashes passwords, so you can't assume you won't be a victim.

+1


source


I ran into the same issue with bcrypt using Ruby where it works to validate the user as it compares the difference between the clear text entered by the user and the hashed password and the hashed password never decrypts to clear the text. One of the stones found that might solve your problem is a cipher that encrypts several different keys. Therefore, you can store your password in the database by storing the keys elsewhere (a file in the vault).

More information can be found on the rubygems page .

0


source






More articles:


All Articles