logistics of hashing messages.

  • (2 Pages)
  • +
  • 1
  • 2

23 Replies - 1183 Views - Last Post: 29 January 2020 - 04:58 AM Rate Topic: -----

#1 Bobby_Bubbles   User is offline

  • D.I.C Regular

Reputation: 1
  • View blog
  • Posts: 339
  • Joined: 13-March 18

logistics of hashing messages.

Posted 09 January 2020 - 03:10 PM

Im working with

password_hash('pass',PASSWORD_DEFAULT)



to be used to hash the messages. but then i thought...how will i verify the hash so i can make it the messages readable?

Preserving privacy is critical. I dont want to go the encryption way because its a single point of failure.

What are some ways to handle the logistics of this?

the only way i thought of is store the hashes in 2 different fields but is the same message. both fields would be able to match a hash to either the sender or recipient.

Is this the ideal way?

This post has been edited by Bobby_Bubbles: 09 January 2020 - 03:15 PM


Is This A Good Question/Topic? 0
  • +

Replies To: logistics of hashing messages.

#2 modi123_1   User is online

  • Suitor #2
  • member icon



Reputation: 15496
  • View blog
  • Posts: 62,055
  • Joined: 12-June 08

Re: logistics of hashing messages.

Posted 09 January 2020 - 03:12 PM

Typically hashing is a one way function. Encryption is the two way function.

So I am not certain if you want to hash a message as no one would get the content if shown later.
Was This Post Helpful? 0
  • +
  • -

#3 Bobby_Bubbles   User is offline

  • D.I.C Regular

Reputation: 1
  • View blog
  • Posts: 339
  • Joined: 13-March 18

Re: logistics of hashing messages.

Posted 09 January 2020 - 03:16 PM

encryption puts the information at risk if security is breached as it has to check for the encryption key. Id rather leave out the server out completely and have it only store the hashed message. So in the event of a breach the messages still remain unreadable.

This post has been edited by Bobby_Bubbles: 09 January 2020 - 03:29 PM

Was This Post Helpful? 0
  • +
  • -

#4 astonecipher   User is offline

  • Senior Systems Engineer
  • member icon

Reputation: 3069
  • View blog
  • Posts: 11,770
  • Joined: 03-December 12

Re: logistics of hashing messages.

Posted 09 January 2020 - 03:26 PM

That isnít how it works, you are not pulling a hashed message out from the hash, that is what encryption is for.

That is what an SSL is for, private and public keys, the server doesnít need both keys.
Was This Post Helpful? 0
  • +
  • -

#5 Bobby_Bubbles   User is offline

  • D.I.C Regular

Reputation: 1
  • View blog
  • Posts: 339
  • Joined: 13-March 18

Re: logistics of hashing messages.

Posted 09 January 2020 - 03:37 PM

not sure if you seen the last message i edited it a few times.

I am trying to avoid encryption because the key has to be read from somewhere the server can reach. With that key it can decrypt information stored in the database.

I want to eliminate that completely and choose hash over encryption.

Hash is a one way which is what i want. With hash the server does not have to read it in order for the users to read it themselves.

SSL still can be bypassed. Look at some of the famous hacks leaked. The database/information was still leaks and im fairly certain that site had SSL. SSL is just a very good wall. But that5s just it. Its a wall. You can go around it. Im just trying to eliminate or mitigate damage should it ever happen.

For hashing i figure all you need is information from the 2 contacts. Maybe combine them together to form salt that could be the answer to another hash which unlocks the message...?

Apparently php salts has been depreciated???

This post has been edited by Bobby_Bubbles: 09 January 2020 - 03:38 PM

Was This Post Helpful? 0
  • +
  • -

#6 astonecipher   User is offline

  • Senior Systems Engineer
  • member icon

Reputation: 3069
  • View blog
  • Posts: 11,770
  • Joined: 03-December 12

Re: logistics of hashing messages.

Posted 09 January 2020 - 03:45 PM

You arenít understanding, hashing is one way. You arenít deciphering it later.

How you handle this for a very secure environment is keys with passphrases.
Was This Post Helpful? 2
  • +
  • -

#7 astonecipher   User is offline

  • Senior Systems Engineer
  • member icon

Reputation: 3069
  • View blog
  • Posts: 11,770
  • Joined: 03-December 12

Re: logistics of hashing messages.

Posted 10 January 2020 - 09:04 AM

This is an example of what I mean using python.


https://medium.com/@...hy-bd6df84d65bc
Was This Post Helpful? 0
  • +
  • -

#8 ArtificialSoldier   User is online

  • D.I.C Lover
  • member icon

Reputation: 2494
  • View blog
  • Posts: 7,551
  • Joined: 15-January 14

Re: logistics of hashing messages.

Posted 10 January 2020 - 12:06 PM

Great news: if you only store hashes, then in the event of any server breech, no one will be able to get the original text from the hashes back. Because it's not possible. Also, even if the server has not been breeched, and everything is working perfectly, you will still not be able to get the original text from the hashes back. Because it's not possible. Because that's not what hashes do. Hashes do not encrypt data into another format, a hash function maps any arbitrary piece of data to a small hash string.

Take SHA-1 as an example. The SHA-1 hash function produces a hash that is 160 bits, or 40 hex characters. Any text, or any data, that you run through SHA-1 will result in a hash value of 160 bits. This means that every one of the infinite possible data inputs will result to one of the 2^160 possible hash strings. So, obviously, since there are infinite inputs, but a finite number of outputs, that means that multiple inputs (actually, infinite inputs) will all map to the same output hash. So, given that output hash, how do you know which of the infinite possible inputs were used to produce the hash? You don't. It's not possible to get the original message back from a hash, because data is lost. You can run the entire text of War And Peace through SHA-1 and get 160 bits of data as output. Do you expect to re-create the entire text of War And Peace from only 160 bits of data?

If you want to retrieve the original message then you use encryption, not hashing. That's what encryption is for. Encryption and hashing are completely different things used for completely different purposes.
Was This Post Helpful? 1
  • +
  • -

#9 Bobby_Bubbles   User is offline

  • D.I.C Regular

Reputation: 1
  • View blog
  • Posts: 339
  • Joined: 13-March 18

Re: logistics of hashing messages.

Posted 15 January 2020 - 04:17 AM

So after a good night sleep i realized i errored badly. i was so fixed with figuring out how i could just hash this i completely ignored the obvious fact that its impossible.

While we are on this point. what are security measures i can take should my server be compromised should i take the encryption route?
Was This Post Helpful? 0
  • +
  • -

#10 Ornstein   User is offline

  • D.I.C Head

Reputation: 32
  • View blog
  • Posts: 64
  • Joined: 13-May 15

Re: logistics of hashing messages.

Posted 15 January 2020 - 05:38 AM

What exactly are you trying to achieve - and exactly how paranoid are you?

If you want a service that is completely server-proof (i.e. the server being compromised can't compromise the security of the data itself) then pretty much all of the burden needs to be placed on the client - with the server acting purely as data storage/retrieval - and the authenticity of the client tool/code/whatever needs to be ensured somehow. That last point depends on exactly how far you're willing to go. Even if the data stored is encrypted at any given time such that an attacker couldn't just "hack" the server and access sensitive information right away, if the server is in any way involved in the encryption/decryption process and/or an attacker has the means to compromise the client also, there's various ways a committed attacker could eventually gain access to plaintexts or keys or whatever else (e.g. code may be modified, logging/snooping tools may be installed, etc).

This post has been edited by Ornstein: 15 January 2020 - 05:40 AM

Was This Post Helpful? 0
  • +
  • -

#11 Bobby_Bubbles   User is offline

  • D.I.C Regular

Reputation: 1
  • View blog
  • Posts: 339
  • Joined: 13-March 18

Re: logistics of hashing messages.

Posted 15 January 2020 - 06:26 AM

this project is for just a small messaging script/chat kind of deal. a way for 2 accounts to talk to each other.

Im not super tight on security but i still like to take reasonable steps.

First off i dont trust the every day client to have the encryption so id rather have the server handle the encryption.

My thoughts were that i could chop up the encryption keys to pieces and scatter it across the servers that i have(i got 2 extra servers that isnt doing much.)

I am also hiding behind tls 2.0
Was This Post Helpful? 0
  • +
  • -

#12 ArtificialSoldier   User is online

  • D.I.C Lover
  • member icon

Reputation: 2494
  • View blog
  • Posts: 7,551
  • Joined: 15-January 14

Re: logistics of hashing messages.

Posted 15 January 2020 - 10:07 AM

If you're using public/private key pairs like with PGP, then the clients can encrypt their messages using the server's public key so that the messages they transmit are already encrypted, and only the server with the private key can decrypt them. In that case, each client would also have to generate its own key pair and so the server would encrypt the messages with the client's public key before sending the message to the client, and then the client would decrypt with its private key. So you would need to store the public key of each client on the server also, or have a way for the server to get the public key when communicating with the client.

As far as how to store the keys on the server, your main goal there is to not let the server get compromised in the first place instead of trying to mitigate damage if it does. Ultimately if an attacker gains control over your server they'll have the same access as you, so they'll be able to figure out how to decrypt whatever you have.
Was This Post Helpful? 0
  • +
  • -

#13 astonecipher   User is offline

  • Senior Systems Engineer
  • member icon

Reputation: 3069
  • View blog
  • Posts: 11,770
  • Joined: 03-December 12

Re: logistics of hashing messages.

Posted 15 January 2020 - 11:41 AM

@art, this is how we deal with encryption at the company and firm levels. Keys locations are stored in azure key vault. That way even if another client gets the data, they can't decrypt it.
Was This Post Helpful? 0
  • +
  • -

#14 CTphpnwb   User is offline

  • D.I.C Lover
  • member icon

Reputation: 3826
  • View blog
  • Posts: 13,946
  • Joined: 08-August 08

Re: logistics of hashing messages.

Posted 15 January 2020 - 07:21 PM

View PostBobby_Bubbles, on 15 January 2020 - 05:17 AM, said:

While we are on this point. what are security measures i can take should my server be compromised should i take the encryption route?

Post some code showing how you intend to access the database. You'll want to know if you're leaving yourself vulnerable. Does it have user supplied data directly in a query? Remember that even query builders can be improperly used, leaving your server open to SQL injection attacks.
Was This Post Helpful? 1
  • +
  • -

#15 Bobby_Bubbles   User is offline

  • D.I.C Regular

Reputation: 1
  • View blog
  • Posts: 339
  • Joined: 13-March 18

Re: logistics of hashing messages.

Posted 28 January 2020 - 10:51 AM

@astonecipher can you provide more information regarding this? i think this may very well be the solution i was looking for.

this is my code, obviously its preapred statements.


if($gchat = mysqli_prepare($conn,"SELECT * FROM messages WHERE sid=? OR rid=? AND type='Store' ORDER BY id DESC LIMIT 5")){
						mysqli_stmt_bind_param($gchat,"ii",$account['id'],$account['id']);
						if(mysqli_stmt_execute($gchat)){
							echo '<div class="grid2">';
							$result = mysqli_stmt_get_result($gchat);
							while($chat = mysqli_fetch_array($result, MYSQLI_ASSOC)){
								if($account['id'] == $chat['sid']){
									echo '<div class="chatmsg2"><div class="speech right">'.$chat['message'].'</div></div><div class="avatar2"><img class="img" src="images/default.png" width="50" height="50"/></div>';
								}else{
									echo '<div class="avatar"><img class="img" src="images/default.png" width="50" height="50"/></div><div class="chatmsg"><div class="speech left">'.$chat['message'].'</div></div>';
								}
							}
							echo '</div><form action="?store='.$storeid.'&tab=message&act=send" method="POST"><input type=text name=message /><input type=submit value="Send"/></form>';
						}else{
							echo 'cannot be executed';
						}
					}else{
						echo 'cannot be queried';
					}



let me know.
Was This Post Helpful? 0
  • +
  • -

  • (2 Pages)
  • +
  • 1
  • 2