I have a field (regular field, not a password) that is being stored in the database twice: as a hash (SHA512) and as an encrypted value. Changing this setup would require many changes which I don't want to get myself into. My question: in the case that the database is broken into, does the fact that the field is being stored twice as a hash and encrypted weakens its security? why?
Some people have said yes because now they have 2 ways to possibly crack it. Duh, I know that. What I'm asking about is whether one can be used to make cracking the other easier? Can the very fact that the field has 2 variations somehow make it easier for the attacker to use one to make cracking the other easier? Look at it this way: if the attacker is given only variant A, it would take them a day. If given only variant B, it would take them 3 days. If the attacker runs both cracks independently, they would crack variant A faster (it takes only a day). But if the attacker is given both, they can crack one in just 6 hours. This is what I'm asking.
Hashing vs Encryption – What Are the Difference? Hashing and Encryption have a bit of difference as hashing refers to permanent data conversion into message digest while encryption works in two ways, which can encode and decode the data.
Let’s cut through the confusion and discuss how encryption, hashing, and salting are different, and how they relate to each other. TL;DR: Encryption is a reversible process, whereas hashed data cannot be decrypted. Salting is a method to make hashing more secure. How does encryption work?
What is hashing? Hashing is similar to encryption in that it scrambles the input data into a randomized or near-randomized output data. Hashing differs significantly from encryption, however, in that it is a one-way process. There is no easy way to unscramble the data, interpret the output, or reverse-engineer the input.
In addition, hash functions can be used for encryption and decryption; for example, AES-256 uses a key derived from a password by means of PBKDF2, which is itself a cryptographic hash function. Finally, hashes are used to index data in hash tables or to detect duplicate files.
Assuming that the hash and encryption method are cryptographically strong, then the attack would be brute force. So the cost would be to run the weaker of the two: hash or encryption. If the hash is computed with a large number of iterations (e.g., with PBKDF2) and the encryption is a simple application of a password run through a single iteration of a hash function to get the key data, then the encrypted value would actually be the weak point in terms of CPU cost. In that situation, the answer would be that storing both does not really weaken it, but rather that the encrypted value weakens it.
Edit to specifically address the updated question. From a mathematical standpoint, I suspect it would be very difficult to prove that an attacker cannot somehow use both pieces of data to reduce the attack time. Some of the attacks that have been devised against hashing and encryption are extremely sophisticated, so it seems in the realm of the possibility that it could be done. And I do know for sure it is possible to reduce the attack time in some situations. A very specific example:
Suppose the attacker can somehow learn the length of the password from the encrypted version. That would vastly decrease the time of brute-forcing the hash version.
In theory it might be "easier" to get the data; in practice, the cost to attack either/both should still be much too great to be feasible. Most encryption algorithms have brute force crack times in the millions of years. The same is for good hashing algorithms. In fact you can often think of a hash as an encryption where you throw away the key. So, unless you have billions of different hashes/encrypted values hanging around you can't possible provide enough information to cut the brute force time down enough to matter.
[update]
Before anyone else comments on my answer (or votes it down) please read http://en.wikipedia.org/wiki/Cryptographic_hash_function. A hashed value and a encrypted value have the same relative strength, "strong." So unless you can relate the hash and the encryption algo, the hash doesn't provide any more info about the data then the encrypted version.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With