0

I'm in a situation where I need to calculate a hash of the result of the password in plain text plus some random chars representing a session. The gained hash will be compared to another hash that is received by the opponent. The problem is, that I only get the full hash from the opponent which can only be regenerated (or rebuild) with the plain text password.

What is the best practice in this situation? I thought of a algorithm such as AES for saving passwords in a persistent storage to decrypt it later but since I'm operating with the plain text passwords, it might not be very secure and another aspect would be the fact that I operate with sensitive information at this point. Salting seems also impossible.

0x8BADF00D
  • 115
  • 1
  • 7
  • Don't keep them in plaintext. You may want to read this... http://security.stackexchange.com/questions/63392/what-is-a-good-analogy-to-explain-why-passwords-should-be-hashed-to-a-layman/63421#63421 – Paddy Jul 19 '14 at 07:09
  • @Paddy I wouldn't but it seems you don't got me right. I'd like to store them hashed, salted or whatever but though I need them in plain text for later usage. – 0x8BADF00D Jul 19 '14 at 12:45

2 Answers2

2

Hashes are not meant to be reversed, and so there is no way you use a hash algorithm to protect a password and see the plain-text later.

What you can do is use a proper encryption algorithms or public and private keys to encrypt and decrypt the passwords, for example PGP.

Fennec
  • 233
  • 1
  • 12
2

I would highly recommend you look at redesigning your solution to be able to use a hash, rather than either work with anything other than a one-way hash.

If you absolutely need to work with the cleartext password, it should be encrypted using a a high level library like NaCl (http://nacl.cr.yp.to/). Symmetric vs. public-key encryption will be a function of your trust boundaries.

I want to emphasize that this is a very bad solution. It's very easy to screw up a cryptosystem, even with a high level library. Crypto is like WarGames: The only way to win is not to play.

Dan Landberg
  • 3,312
  • 12
  • 17
  • No, I'm not able to use a hash. I used to store the passwords as SHA hashes before but since my opponent is a network client which generates a hash based on the plain text password it's just not possible to store them as hash anymore. Thanks for your answer though, I already took a look into symmetric encryption and played a bit with AES that is making great in my case. – 0x8BADF00D Jul 23 '14 at 05:48