Lol, you should have tested the script before you started to defend him.Quote:
Originally Posted by שเ๒єtгเ๒є
generateRandomString is called to make blind ways for potential hackers.
Printable View
Lol, you should have tested the script before you started to defend him.Quote:
Originally Posted by שเ๒єtгเ๒є
generateRandomString is called to make blind ways for potential hackers.
Nah, it's more a misunderstanding I wanted to help to resolve in my eyes. Thanks.Quote:
Originally Posted by Zensai
Why do people bother securing data in this fashion? You obviously don't understand basic cryptography if you're using ECB to encrypt such a large amount of data.
First 2-3 variables(first & last name, dob) are relatively easy to guess and might be stored elsewhere in database. If you know them, you can decrypt the rest relatively easily.
You might think the whole randomization is clever obfuscation, but sophisticated string pattern analysis will break this in milliseconds. Essentially, anyone that's using code to encrypt user creditcard numbers with methods not verified by a professional cryptographer AND network security analyst, is only fooling themselves into believing their methods are any better than storing in plaintext against a decent attack.
Securing decryptable data is much more complex than storing hashes, but even experts can fail at securing hashes. One example is a hash authentication blunder shown here... Full Disclosure: MD5 hash extension attack breaks API authentication of Flickr and other online services.
But this is especially moot(no pun intended) when talking about pservers. Almost every pserver admin I've encountered will hand over root to any dev that seems to know what they're talking about. Why bother with such silly encryption when your server can be hacked much easier with extremely minimal social engineering?
You'd think when it comes to what is effectively a glorified substitution cipher, the randomness of the ciphertext would be the least of people's worries. Is there a lot of entropy? Yes. Enough to make brute force cryptanalysis pointless? Yes, but that's a feature of every modern cryptographic cipher, which this one mostly inherits through the use of AES. Is it going to stump a hacker who's rooted your server? Not really, it's more like a Christmas present. This cipher is only slightly more secure than plain ol' ROT13.
This bolded remark is extremely important. When time permits, I often prefer coding my own application architecture from the ground up. I won't get into the benefits and detriments of this practice, but I must say that one thing I never do myself is anything regarding cryptography. It's a very complex field that has its own set of professionals.Quote:
Originally Posted by Mootie
When it comes to this level of security, don't take matters into your own hands unless you know exactly what you're doing. And chances are that you don't. Leave it to the experts in cryptography and security to handle this. There are already many released documents, code examples, and so on from heavily experienced groups and people that will secure whatever you need to secure much more effectively than anything you could come up with on your own. Don't code like you're an expert in cryptography unless you are. Don't take security into your own hands. Use proven methods.