views:

316

answers:

1

Hello guys,

I need to store sensitive data (usernames and passwords) and wanted to do things the right way (storing SHA-256 hashes of (password).(large random number) instead of cleartext passwords. This needs to be done using MySQL and, as far as i know, only MySQL 6 plans to incorporate SHA-2, hence i assume some kind of external application needs to be setup; I would like to make a stored procedure that would calculate the hash of the password (concatenated with the nonce) and store it.

In your opinion, what would be the best way to implement this? I've read a few post here on Stackoverflow and i'm currently heading towards Perl.

Cheers, Hal

PS: OS -> Windows Server 2008

EDIT: damn editor, won't show the correct text. Fixed.

EDIT2: I am not trying to make my own version of SHA2, although it would certainly be fun; i need to use it on a stored procedure in order to hash the original password and I'm just not sure what external module/application/library I should use.

+2  A: 

Your language of choice more than likely provides an implementation of SHA-256. Do not write your own implementation. That is just asking for trouble.

If you posted what your programming language is, I'm sure people would be more than happy to post back with links to documentation for that language.

PS: If you don't have a language in mind already, here's a PHP script I wrote a while back:

Ok, so apparently I lost it. But here is a simpler version:

<?php echo hash("sha256", file_get_contents("php://input"))."\n" ?>

And then you can call it like:

php hash.php

Then type in your information and close inpute (ctrl-x? on Windows)

Matthew Scharley
Hmmm ok, I didn't make myself clear.I am not trying to make my own version of SHA2, although it would certainly be fun; i need to use it on a stored procedure though and I'm not sure what external module/application/library I should use.
Hal
MySQL does not support SHA-2 out of the box, hence the question
Hal
Interesting script; my only real doubt is whether i can call that script using mysql stored procedures...
Hal
I'm curious, are you using mysql's command line? And if so, what are you trying to achieve doing things manually? If you aren't doing it manually, what programming language are you using? That programming language will have a similar funtion that you can call to hash the password BEFORE you do anything on the database, hence bypassing the whole issue.
Matthew Scharley
Also, if you **are** doing it manually, why can't you run the script yourself and put in the hashed data manually?
Matthew Scharley
Can't do it that way due to limitations of the platform i'm working on (WSO2 WSAS). It actually has several fields where the user can paste the SQL script that the server would be using, so my idea was to invoke a stored procedure that would subsequently process the original password and store it in the database. That's why i'm so restricted for the time being, or else i'd have gone with PHP or C# from the start.
Hal
As such, it can't be done manually since it will be handling data for a large number of persons.
Hal
The original insertion in the database can (and most likely will be done) in another programming language, but when the users will attempt to login I'd need to hash the password and the nonce
Hal
My first thought is: you need a better solution. MySQL is a database application. As far as I know, there's no way to call external programs from it.
Matthew Scharley
To be honest, there's nothing wrong with using SHA1 anyway, or even MD5 for that matter, with a salt, either is perfectly secure.
Matthew Scharley
Hmmm i see. Did not expect that, should a task is quite easy to do in SQL Server for instance. I guess i'll just SHA1 as you said.Thanks for the input Matthew, really appreciated.Hal
Hal
I could be wrong, but I've never seen an SQL statement on any server that executes an external program, and a quick search on mysql.org would seem to support my hypothesis, but again, I could be wrong, and I've not really done much with stored procedures before beyond theory.
Matthew Scharley
SQL Server's way out: http://msdn.microsoft.com/en-us/library/aa260689%28SQL.80%29.aspx
Hal
Never pass sensitive data as command line arguments to external programs. On may systems (Linux included), the running processes and command line arguments are visible to any non-priveleged user. Bad! Using environment variables or reading from STDIN are secure if you *must* do it this way.
Mark Renouf
Did not know that, thanks for the input.I'll probably go along with SHA1 anyway
Hal
This is true. I'll update the script to a still hackish, but far more secure approach.
Matthew Scharley