Well, for those security types I have one saying: any symmetric encryption
algorithm is as secure as the place where you store encryption keys.
You can use whatever symmetric algorithm, be it 3DES, IDEA, CAST, Blowfish
or AES (or any other) - if I can get the encryption key you used, I can decrypt
your data. For passwords, cryptographically strong hashes is probably the only
really secure choice. You can verify if passwords match using their hashes, but
you can't get the password in plain text from its hash, hence you can't easily
break into system even if you collected hashes for all passwords. As for the hash
length and algorithm - it's actually equally hard to brute-force MD5-128 or
SHA-160 (are you certain you want those extra 8 bits?), but MD5-128 takes less
space to store, so I would go for it. But it's your choice of course - if those
security people will feel themselves more comfortable with SHA-160 - so be it. :)
--
Vladimir Zakharychev (bob@dpsp-yes.com) http://www.dpsp-yes.com
Dynamic PSP(tm) - the first true RAD toolkit for Oracle-based internet applications.
All opinions are mine and do not necessarily go in line with those of my employer.
"Jurgen Lindt" <nospam_at_nospam.com> wrote in message
news:tEQh9.20771$1C2.1431684_at_bgtnsc04-news.ops.worldnet.att.net...
> Vladimir,
>
> No, it's not imperative, you're right.
>
> Points taken and I understand what you say. It does make sense. The thing
> is, the security types where I am, are "hell bent" on Triple DES encryption.
> If we just store the hash of any passwords, at best, this will be 168-bit
> SHA. In other words, not using their prized and beloved "Triple DES".
>
> I think now you mention it, storing the hash of the passwords makes sense.
> We're using the Microsoft Cryptography API, which seems fairly robust. (did
> I say a Microsoft product was robust?)
>
> Many thanks.
>
> JL
>
>
Received on Wed Sep 18 2002 - 05:55:12 CDT
