Jump to content

MySQL Users and Encryption


vchris

Recommended Posts

I was talking with a friend and he says it would be safer to use a different user for reading from the db and writing to the db. I personally have always used 1 user for all. Is this something you guys do or would recommend doing? First time I hear about it.How secure is md5 encryption?

Link to comment
Share on other sites

I agree with that statement. Furthermore, if you can limit a user per DB access (i.e. allow a DB user to only read/write to a certain DB without granting read/write priviliges to other DBs) it would be even better.The reason is that even with best effors to prevent SQL injections and the such, your system can always be compromised. What if you've missed an escape for a value, and user gets to do a query? If you limit the user PHP uses to access the DB, the worst thing that can happen is the attacker reading/writing arbitary data from whatever PHP would have been able to do at that point. So, if you don't grant PHP the ability to delete a DB, an attacker won't be able to do so either.MD5 encryption is one way encryption. Once a value is traslated to an MD5 string, the MD5 string can't be translated back to the original string. It's a very good practice to encode sencetive data as MD5 or SHA1 strings as an extra protection layer. That is, if an attacker somehow happens to gain reading access of your DB, and users' sencetive data (like passwords), they'll only see their MD5/SHA1 signatures, not the passwords themselves. Of course, this would still mean they can compare a password against the signature indefinetly, but at least they won't have it "on the spot".

Link to comment
Share on other sites

While I understand the reasons behind having different user accounts for specific things, I haven't personally run into a problem where I would need to do that and I haven't heard of any problems happening (mine or otherwise) that could have been avoided by using multiple accounts like that. It makes sense in theory, but in reality it doesn't come into play much.

How secure is md5 encryption?
That's a relative question. It's more secure then a lot of things like ROT13, and less secure then a lot of things like SHA-1. For most uses it's plenty secure. If you need a particularly high degree of security then MD5 isn't exactly the cream of the crop. Moreover, unless you really, really need a 128 bit number and no more, it's always better to use SHA-1 then MD5. In fact I don't really understand why anyone uses MD5 when we have SHA-1. If you need more security then SHA-1, then something in the SHA-2 family, like SHA-256 or SHA-512, might work for you.
Link to comment
Share on other sites

Yeah, a lot of things do. MD5 is probably the single most insecure hash method that people still use. I honestly don't know why anyone still uses it. There have been many published MD5 attacks. MD5 was invented in 1991, by 1996 flaws were found in it. In 2004 serious flaws were discovered in it. The attack described in 2004 only took an hour on an IBM p690. By 2005 people had demonstrated how to make 2 files with the same MD5 hash. In 2006 someone published an algorithm that can find an MD5 collision within one minute on a single laptop computer.It's simply not that secure as a single hash. If you're using a single hash then use SHA-1. If you're using a combination it doesn't really matter what you use if it's sufficiently complex.

Link to comment
Share on other sites

I had no idea md5 was insecure. It's a 128 bit encryption right? So when encrypting I should stick with SHA1? Funny my friend was explaining me that MD5 was very very secure and almost unhackable since it uses special keys or something.

Link to comment
Share on other sites

MD5 is irreversible, like all hashes should be, but with current computers it is now possible to algorithmically create strings that have the same MD5 hash. For example, the hash of "The quick brown fox jumps over the lazy dog" is 9e107d9d372bb6826bd81d3542a419d6, and no-one will be able to see that and algorithmically reverse it back to "The quick brown fox jumps over the lazy dog", but now methods have been discovered whereby you can figure out another string that will produce the same MD5 hash as that.

Link to comment
Share on other sites

It's a 128 bit encryption right?
MD5 does not encrypt, it hashes. The result of the hash is a 128-bit number.
Funny my friend was explaining me that MD5 was very very secure and almost unhackable since it uses special keys or something.
Your friend should do a little research into how MD5 works and do a Google search for "MD5 attacks" before making such claims. Most hash algorithms use some sort of key system to do the initial hashing. Here are the keys for SHA-256, for example:
Initialize variables(first 32 bits of the fractional parts of the square roots of the first 8 primes 2..19):h0 := 0x6a09e667h1 := 0xbb67ae85h2 := 0x3c6ef372h3 := 0xa54ff53ah4 := 0x510e527fh5 := 0x9b05688ch6 := 0x1f83d9abh7 := 0x5be0cd19Initialize table of round constants(first 32 bits of the fractional parts of the cube roots of the first 64 primes 2..311):k[0..63] :=   0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,   0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,   0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,   0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,   0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,   0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,   0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,   0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2

This is the initialization routine for MD5:

//r specifies the per-round shift amountsr[ 0..15] := {7, 12, 17, 22,  7, 12, 17, 22,  7, 12, 17, 22,  7, 12, 17, 22} r[16..31] := {5,  9, 14, 20,  5,  9, 14, 20,  5,  9, 14, 20,  5,  9, 14, 20}r[32..47] := {4, 11, 16, 23,  4, 11, 16, 23,  4, 11, 16, 23,  4, 11, 16, 23}r[48..63] := {6, 10, 15, 21,  6, 10, 15, 21,  6, 10, 15, 21,  6, 10, 15, 21}//Use binary integer part of the sines of integers (Radians) as constants:for i from 0 to 63	k[i] := floor(abs(sin(i + 1)) × (2 pow 32))//Initialize variables:var int h0 := 0x67452301var int h1 := 0xEFCDAB89var int h2 := 0x98BADCFEvar int h3 := 0x10325476

There aren't any "special" keys or anything like that. I don't even know what a "special key" is. Everything about these algorithms is public, there aren't any "hidden" parts or anything that make it difficult to find an MD5 collision.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...