0

This seems somewhat trival but I have spent a bit of time googling with no results. Anyways I am developing a web app and I need to store 'sensitive' data in a mysql database and then access it to authenticate api calls from python. I am no security expert but I have a basic understanding of hashing and encrypting.

I know how to encrypt the data with aes_decrypt aes_encrypt and I also know how to hash the data using the password() function supplied by mysql.

My first question is should I be encrypting this data or hashing it? My second question is I do not know how to 'access' or 'use' the password information in python once I hash it using the password() function in mysql.

Any help is much appreciated.

lawless
  • 191
  • 1
  • 5
  • 15
  • Do you want to _store_ securely your data (that is encrypted at DB level) and/or protect your data while _in transit_ between your web server and your database server (that is using a secure communication channel)? – Sylvain Leroux Jun 23 '13 at 18:15
  • Since the web app is storing the data supplied by the user I would like protect it in transit from the web app to the db as well as hash it once it is in the db in case someone gains access to the server. – lawless Jun 23 '13 at 19:14
  • You cannot store/exchange _data_ as [hash](http://en.wikipedia.org/wiki/Hash_function) since "hashing" is a mapping from a variable length data to fixed length data -- introducing some kind of data loss. Said otherwise, "hashing" is (in the general case) not reversible. You cannot get the original data back from a hash. You are probably looking for [encryption](http://en.wikipedia.org/wiki/Encryption) here. – Sylvain Leroux Jun 23 '13 at 19:17
  • The data that would be entered would be fixed length but yes I would need to retrieve it and then do 'things' with it. So encryption seems to be the way to go. – lawless Jun 23 '13 at 20:29

1 Answers1

0

Firstly I am no python expert, my answer is only aimed for a general approach.

Passwords in web applications are usually stored as hashes, not encrypted, this basically makes it harder for someone to get them if your table is compromised. Hashes should be generated as solid as possible. Please do not just a MD5, better use something more secure (from todays perspective) and salt it properly to minimize the risk of rainbow attacks.

I wouldn't use the MySQL Password() function for this. The documentation says:

The PASSWORD() function is used by the authentication system in MySQL Server; you should not use it in your own applications. For that purpose, consider MD5() or SHA2() instead.

This leaves SHA2(), if you want to hash with MySQL, though don't forget to salt the string before hashing. My way of doing it would be to hash the string with your application (see python hashlib for reference), salt it like this and then just store the hash in the database. This avoids security issues of your data between your application and the database server.

Community
  • 1
  • 1
Bjoern
  • 15,934
  • 4
  • 43
  • 48