Hash functions in web security

Hash functions in web security


Table of Contents

  • What the hash function is?
  • Http Cookies
  • password

1 What the hash function is?

A hash function is a one-directional one-to-one or multiply-to-one function, which can project data in one space to another, but not reverse. The key point here is one-directional projection, if you found a way to reverse this process, then this hash algorithm is corrupted, if the hash algorithm corrupted, the whole web security is down. You would not want that happen, right?

So, which hash functions are the popular ones? the popular hash function includes md5, sha256. In python standard distribution, it provided an hashlib module which provided the usual hash functions.
The following code snippet is an example to get digest from messages by python's hashlib module. The digest is the hash value of a message. 

digest = hash(message). 

import hashlib

hashlib.md5('hello world').hexdigest()
hashlib.sha256('hello world').hexdigest()
hashlib.sha512('hello world').hexdigest()

The Following two sections illustrate hash function in the web security.

2 Http Cookies

The hash function is used in HTTP cookies to prevent some cheating from the client. A hash function is usually considered a way to generate a digest of messages, we can compare the digests to judge whether they come from the same value. In this way, sometimes, we append digest to the message as a security way to prevent cheating. So, the following is what the cookie items looks like?
key=value,hash(value)
But if I guessed the hash function used to generate the digest, then I still can cheating server by attaching the digest generated by same hash function after the value in the same way. In this case, you need to attach the hash of value plus a secret phase, it is not easy to guess both hash function and secret phase together. We give this secret phase a name – salt.
key=value,hash(value+salt)
python provided a module named hmac to do this job. 

import hmac

salt = 'passwd'

hmac.new(salt, 'hello').hexdigest()

3 password

When you need to transmit the password across the internet to the server, you should not use the plain text password directly, instead, you need to transmit the hash value of your password all times, and the server has no right to store your plain text password.

Beside the password plus salt way to get the hash value, a better way is to use bcrypt which is a much safer way. 

import bcrypt

salt = bcrypt.gensalt()
hash = bcrypt.hashpw('passwd', salt)
# salt is attached in the head of generated hash
hash.find(salt)

#how to verify the passwd
#since salt is included in the hash, so same hashpw
#function generate the same result.
hash == bcrypt.hashpw('passwd', hash)

Comments

Post a Comment

Popular posts from this blog

Bluedroid stack in android

Image
Bluedroid stack in android Table of Contents Bluetooth stack in android Bluedroid .VS. Bluez Porting guide of Bluedroid stack 1 Bluetooth stack in android From Android 4.2, google use Bluedroid stack as its default Bluetooth host stack, before android 4.2, its default Bluetooth host stack was Bluez, which is also the Linux distribution's default stack. So why google changed its Bluetooth stack? The reason is maybe that Bluez stack was designed for the desktop environment, so in order to port Bluez into android, android must solve some dependency issues, like porting Dbus, Linux desktop's default IPC, into android. So there are at least five processes to power Bluetooth before android 4.2, they are systems, Bluetooth APP, Bluez, hciattach, and Dbus. The damn thing is that there are bugs between them, so Bluetooth stack is the weakest part in the android system before android 4.2, yeah, it is the usual reason that android system corrupted. So, what's t
Read more

How to setup a NAT server?

Image
How to setup an NAT server? Table of Contents What is NAT? How to setup NAT host? a shell script from vbird's book 1 What is NAT? NAT stands for Network Address Transition, which is the basic function of gateway host. I try to hack Bluetooth tethering module in android this week, it include the Bluetooth Pan profile and the NAT setup process, which means in order to implement the Bluetooth tethering, first, two devices must be connected by Bluetooth Pan profile, and then the server part device acted as gateway host to supply the network forward service. In other words, after Bluetooth Pan profile connected, the server must to setup its NAT rules to forward the IP packages. So how to setup NAT rules? 2 How to setup NAT host? My memory is still fresh that at the start of my Linux journey, I setup my Linux desktop as an NAT host to provide Internet services for my lab's classmates. During the days as a programmer, I once did a job to hacking android&
Read more

Network programming in elisp

  Network API in elisp Table of Contents 1 Introduction 2 A example 3 Http server implemented by elisp 1 Introduction Emacs is not just an editor, Yes, that's true. Emacs lisp can do network connection programming by its network API. But there is something difference with other kinds of programming language. First, elisp do not support multi-thread, pretty cool, huh!! Yeh, Multi-threads programming is a horrible venture for you, right! Second, There is no socket similarly conception in elisp, and elisp provide network programming ability as processes. Elisp can open a network connection by function – open-network-stream .  It can make network connection server listen a special port by function - make-network-process . Both of those function return a process object. Then you can communicate with the process by process's API. 2 A example I write a snippet code to figure out How to use it. ( require ' cl ) ( defvar my-network-client-b
Read more