Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

is a GUID a good salt? is my register/login process got any flaw?

Tags:

guid

sql-server-2005

hash

salt

If my table inside the database look like:

 userid uniqueidentifier
 username varchar(20)
 password varbinary(max)

When the user submit(to register), I send the user/pass to a stored procedure.

The stored procedure create a new GUID(Using NEWID()) then I use the HashBytes(sha1) function of SQL Server to create the password based on the GUID+password provided then I insert the values into the table above.

When the user submit(to login), I send the user/pass to a stored procedure.

The stored procedure look for the username and grab the userid to compare the hashbyte(sha1) of guid+password with the password field.

do you see any flaw inside that logic?

like image 309
Fredou Avatar asked Jul 28 '09 14:07

Fredou

3 Answers

That's pretty standard - a guid would be fine for a salt. The point of a salt is to prevent Rainbow attacks, and pretty much any value that's random (or even if not random, then at the very least, different) for each user will do the trick.

like image 102
SqlRyan Avatar answered Nov 09 '22 11:11

SqlRyan

If security is the primary concern, I'd rather NOT use a GUID for the salt value.

GUID's come in different "types", with some being more "random" than others. However, even the best type of GUID (this would be V4-type GUID's from a "randomness" perspective) are not really suitable for cryptographic functions.

From the Wikipedia article on GUID's:

V4 GUIDs use the later algorithm, which is a pseudo-random number. These have a "4" in the same position, for example {38a52be4-9352-453e-af97-5c3b448652f0}. More specifically, the 'data3' bit pattern would be 0001xxxxxxxxxxxx in the first case, and 0100xxxxxxxxxxxx in the second. Cryptanalysis of the WinAPI GUID generator shows that, since the sequence of V4 GUIDs is pseudo-random, given the initial state one can predict up to next 250 000 GUIDs returned by the function UuidCreate. This is why GUIDs should not be used in cryptography, e. g., as random keys.

like image 36
CraigTP Avatar answered Nov 09 '22 10:11

CraigTP

As describe, it's not clear how the mechanism works - I assume the userid field contains the generated GUID (otherwise I don't see how you retrieve it for comparison).

There are different types of GUID, not all of them random. But then, randomness is not really required for password salting. All in all, your approach looks fine, though you might consider performing the hashing multiple times ("key strengthening") to improve security further.

like image 41
Michael Borgwardt Avatar answered Nov 09 '22 11:11

Michael Borgwardt
Sign in to Comment

Related questions

Deleting hierarchical data in SQL table
Multiple commands on one line in SQL Server 2005
Filter based on an aliased column name
How to connect to sql-server with windows authentication from windows-service?
SQL Sort Order with Null values last
Find what table a specific index belongs to
"select * into table" Will it work for inserting data into existing table
Make SQL Server faster at manipulating data - turn off transaction logging?
For autoincrement fields: MAX(ID) vs TOP 1 ID ORDER BY ID DESC
Move row from one table to another?
selecting individual xml node using SQL
pyodbc.connect timeout argument is ignored for calls to SQL Server
Selecting between two dates within a DateTime field - SQL Server
Why do SQL Server Scalar-valued functions get slower?
How do I identify a blank uniqueidentifier in SQL Server 2005?
Is it possible to use ROW_NUMBER() OVER/PARTITION BY only when another column is also the same?
What does ORDER BY 5 DESC mean?
SQL View - add default values if null?
Query cost relative to batch is 100%
How to enable Full-text Indexing in SQL Server 2005 Express?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!