tags:

views:

316

answers:

1
Q: 

MySQL on Windows: Using SHA-2

Hello guys,

I need to store sensitive data (usernames and passwords) and wanted to do things the right way (storing SHA-256 hashes of (password).(large random number) instead of cleartext passwords. This needs to be done using MySQL and, as far as i know, only MySQL 6 plans to incorporate SHA-2, hence i assume some kind of external application needs to be setup; I would like to make a stored procedure that would calculate the hash of the password (concatenated with the nonce) and store it.

In your opinion, what would be the best way to implement this? I've read a few post here on Stackoverflow and i'm currently heading towards Perl.

Cheers, Hal

PS: OS -> Windows Server 2008

EDIT: damn editor, won't show the correct text. Fixed.

EDIT2: I am not trying to make my own version of SHA2, although it would certainly be fun; i need to use it on a stored procedure in order to hash the original password and I'm just not sure what external module/application/library I should use.

+2  A: 

Your language of choice more than likely provides an implementation of SHA-256. Do not write your own implementation. That is just asking for trouble.

If you posted what your programming language is, I'm sure people would be more than happy to post back with links to documentation for that language.

PS: If you don't have a language in mind already, here's a PHP script I wrote a while back:

Ok, so apparently I lost it. But here is a simpler version:

<?php echo hash("sha256", file_get_contents("php://input"))."\n" ?>

And then you can call it like:

php hash.php

Then type in your information and close inpute (ctrl-x? on Windows)

Matthew Scharley  2009-09-26 10:27:03
Hmmm ok, I didn't make myself clear.I am not trying to make my own version of SHA2, although it would certainly be fun; i need to use it on a stored procedure though and I'm not sure what external module/application/library I should use.
Hal  2009-09-26 10:29:55
MySQL does not support SHA-2 out of the box, hence the question
Hal  2009-09-26 10:31:51
Interesting script; my only real doubt is whether i can call that script using mysql stored procedures...
Hal  2009-09-26 10:37:10
I'm curious, are you using mysql's command line? And if so, what are you trying to achieve doing things manually? If you aren't doing it manually, what programming language are you using? That programming language will have a similar funtion that you can call to hash the password BEFORE you do anything on the database, hence bypassing the whole issue.
Matthew Scharley  2009-09-26 10:39:19
Also, if you **are** doing it manually, why can't you run the script yourself and put in the hashed data manually?
Matthew Scharley  2009-09-26 10:40:02
Can't do it that way due to limitations of the platform i'm working on (WSO2 WSAS). It actually has several fields where the user can paste the SQL script that the server would be using, so my idea was to invoke a stored procedure that would subsequently process the original password and store it in the database. That's why i'm so restricted for the time being, or else i'd have gone with PHP or C# from the start.
Hal  2009-09-26 10:43:13
As such, it can't be done manually since it will be handling data for a large number of persons.
Hal  2009-09-26 10:44:12
The original insertion in the database can (and most likely will be done) in another programming language, but when the users will attempt to login I'd need to hash the password and the nonce
Hal  2009-09-26 10:45:49
My first thought is: you need a better solution. MySQL is a database application. As far as I know, there's no way to call external programs from it.
Matthew Scharley  2009-09-26 10:53:02
To be honest, there's nothing wrong with using SHA1 anyway, or even MD5 for that matter, with a salt, either is perfectly secure.
Matthew Scharley  2009-09-26 10:54:59
Hmmm i see. Did not expect that, should a task is quite easy to do in SQL Server for instance. I guess i'll just SHA1 as you said.Thanks for the input Matthew, really appreciated.Hal
Hal  2009-09-26 10:57:54
I could be wrong, but I've never seen an SQL statement on any server that executes an external program, and a quick search on mysql.org would seem to support my hypothesis, but again, I could be wrong, and I've not really done much with stored procedures before beyond theory.
Matthew Scharley  2009-09-26 11:01:57
SQL Server's way out: http://msdn.microsoft.com/en-us/library/aa260689%28SQL.80%29.aspx
Hal  2009-09-26 11:04:13
Never pass sensitive data as command line arguments to external programs. On may systems (Linux included), the running processes and command line arguments are visible to any non-priveleged user. Bad! Using environment variables or reading from STDIN are secure if you *must* do it this way.
Mark Renouf  2009-09-26 11:06:31
Did not know that, thanks for the input.I'll probably go along with SHA1 anyway
Hal  2009-09-26 11:07:56
This is true. I'll update the script to a still hackish, but far more secure approach.
Matthew Scharley  2009-09-26 11:51:32

related questions

Remove Quotes and Commas from a String in MySQL
What's the best way of converting a mysql database to a sqlite one?
How do you manage databases in development, test, and production?
Multiple foreign keys?
Add 1 to a field (MySQL)
Issues using MS Access as a front-end to a MySQL database back-end?
Bigger than a char but smaller than a blob
How do I retrieve my MySQL username and password?
Long-time LAMP Developer moving to VB.NET
How do I Concatenate entire result sets in MySQL?
Full complete MySQL database replication? Ideas? What do people do?
SQL: Distribution of table in time
SQLite vs MySQL
How do I create a new Ruby on Rails application using MySQL instead of SQLite?
Multiple Updates in MySQL
MySQL/Apache Error in PHP MySQL query
What all do I need to escape when sending a (My)SQL query?
Auto Generate Database Diagram MySQL
Mechanisms for tracking DB schema changes
How big can a MySQL database get before performance starts to degrade.
Python and MySQL
SQL Server 2005 implementation of MySQL REPLACE INTO?
How to export data from SQL Server 2005 to MySQL
Throw Error In MySQL Trigger
Binary Data in MySQL