Using an HMAC on an a already hashed value, good or bad practice?
Hi all I have a question on if this is good practice or not. I am aware that simply double hashing a value can be bad for various reasons.
What I would like to do would be something like this, in php.
$val = hash_hmac('sha256', md5($password), $salt);
The reason for this is that we are authenticating with a trusted partner over a closed api. The passwords are stored as an MD5 hash in our DB. However, I don't want our partner to send this same value across the net.
开发者_运维知识库This way I can compare the md5'd password inside our database to unique hash that our partner has sent.
What say ye?
First of all, is this a user password (ie, you are authenticating on-behalf-of a user), or a shared secret between your two servers?
If it's a user password, stop. You are saving passwords in plaintext (or as an unsalted md5). Either way is bad. Save passwords as a salted hash and use OAuth or something to authenticate instead.
If it's a shared secret between two servers (not representing a user), you can still use oauth or something, but if you just want something simple, you should authenticate like this:
$val = hash_hmac('sha256', $nonce, $secret);
$nonce
is a one-time-value chosen by the server randomly to prevent replay attacks.
Keep in mind that if you don't have a nonce, then whatever value you send across is your shared secret. It doesn't matter if you derive it from a hmac of a md5 or whatever; if it ends up being the same each time, it is equivalent to a password sent across the communications channel. And remember to secure the communications channel from MITMs as well!
精彩评论