I\'m in a situation where I need to calculate a hash of the result of the passwo

Question

I'm in a situation where I need to calculate a hash of the result of the password in plain text plus some random chars representing a session. The gained hash will be compared to another hash that is received by the opponent. The problem is, that I only get the full hash from the opponent which can only be regenerated (or rebuild) with the plain text password.

What is the best practice in this situation? I thought of a algorithm such as AES for saving passwords in a persistent storage to decrypt it later but since I'm operating with the plain text passwords, it might not be very secure and another aspect would be the fact that I operate with sensitive information at this point. Salting seems also impossible.

Explanation / Answer

I would highly recommend you look at redesigning your solution to be able to use a hash, rather than either work with anything other than a one-way hash.

If you absolutely need to work with the cleartext password, it should be encrypted using a a high level library like NaCl . Symmetric vs. public-key encryption will be a function of your trust boundaries.

I want to emphasize that this is a very bad solution. It's very easy to screw up a cryptosystem, even with a high level library. Crypto is like WarGames: The only way to win is not to play.

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.