Is the block header in stratum protocol double hashed?

I’m trying to understand how the block header is done when mining in a stratum pool. Should the block header be hashed once or double hashed ?

the block header consists of the version, previous hash, merkle root, ntime, nbit, and nonce. right?

web application – https security – should password be hashed server-side or client-side?

Hashing on the client makes sense only if you do not trust the server in some way, and do not want to show it the “actual” password (the one which the human user remembers). Why would you not want to show the password to the very site on which the said password has any use ? Because you have reused the password elsewhere ! Now that’s usually bad, but there is a relatively safe version which is incarnated in myriads of browser extensions or bookmarklets such as this one or that one (I don’t vouch for their quality). These are tools where the human user remembers a “master password”, from which a site-specific password is generated, using the site domain name as a kind of salt, so that two distinct sites get distinct passwords.

While this scenario makes sense, doing it with Javascript sent by the server itself does not. Indeed, the point of hashing the password client side is that the server is potentially hostile (e.g. subverted by an attacker), and thus Javascript code sent by that server is, at the very least, suspect. You do not want to enter your precious password in some hostile Javascript…


Another case for client-side hashing is about slow hashing. Since passwords are, by definition, weak, you want to thwart dictionary attacks. You assume that the bad guy got a copy of the server database, and will “try passwords” on his own machines (see this blog post for some discussion on this). To slow down the adversary, you employ an inherently slow hashing process (such as bcrypt), but this will make the processing slow for everybody, including the server. To help the server, you might want to offload some of the work on the client, hence do at least part of it in some Javascript code running in the client browser…

Unfortunately, Javascript is awfully slow at this kind of job (typically 20 to 100 times slower than decent C code), and the client system will not be able to contribute a substantial part to the hashing effort. The idea is sound but will have to wait for better technology (it would have worked with a Java client, though: with a decent JVM, optimized Java code is about 2 to 4 times slower than optimized C code, for a hashing job).


To sum up, there is no really good case for doing client-side password hashing, from Javascript code sent by the server itself. Just send the password “as is” to the server through an HTTPS tunnel (the login page, the form destination URL, and whatever page are protected by the password, shall all be served over SSL, otherwise you have more pressing security issues than the use of passwords).

magento2 – M2 Import customers with API with hashed passwords?

I can import customers with the API using /rest/all/V1/customers endpoint. I can also supply a password.

But is it possible to import a customer with a hashed password? If possible, how would I do that? To be clear, I just want to supply a hashed password in the request. It’s coming from Magento 1 and is MD5 hashed (which M2 supports).

I tried password_hash (named like the field in the table) instead, but that doesn’t work. The field stays NULL.

TL:DR

How can I import customers with hashed passwords with the API?

Why do we need hashed page tables for Paging in Operating Systems?

I understand that we might need hierarchical paging to handle page tables with sizes greater than the size of one frame, but what is the use of Hashed Page tables then? I would understand if we were storing page-numbers and mapped frame numbers as $key-value$ pairs, because then hashing would make the process of accessing a particular $key-value$ pair much faster but can’t we just store the base of the page table and add the virtual page number, go to that index of Page Table, and get the frame number anyway?

encryption – How to identify this hashed text and if it encrypted using a key?

For the second one, I think you mean 152 characters, not 152 bytes. The character set looks like base64, and the equals symbols at the end are another tell-tale sign that this is probably base64, as equals symbols are often used for padding in base64.

In base64, each set of 4 characters represents 3 bytes. You have 150 characters of actual information (again, the last two equals symbols are padding). This equates to 112.5 bytes of data ( (150/4) * 3). That equates to 900 bits of data (8*112.5).

That’s most likely not a hash, as no standard hashing algorithm produces a 900-bit result. It’s most likely not the result of AES encryption either, as AES produces blocks of 128 bits, and 900 is not a multiple of 128.

How to store Hashed Password to the Database using Laravel 5.8

I need to store Password as hashed to the database, I was able to has the password but when I submit my form the password stores as un-hashed,

Here’s my controller Store Function

 public function store(Request $request)
{

    $hash = ('password' => Hash::make($request));

    //dd($hash);
    // HASHED PASSWORD WAS DISPLAYED HERE 


    $user = User::create($this->validateRequest());

    dd('User Created');
}

Here’s my Validate Function

private function validateRequest()
{

    return request()->validate((
        'name' => ('required', 'string', 'max:255'),
        'email' => ('required', 'string', 'email', 'max:255', 'unique:users'),
        'password' => ('required', 'string', 'min:8', 'confirmed'),
        'phone' => 'required',
    ));
}

I tried to do this in my Store Function (But it didn’t work !!)

public function store(Request $request)
    {

        $hash = ('password' => Hash::make($request));

        $user = User::create($this->validateRequest($hash));
        dd('User Created');
   }

Is there a way where I can store the hashed password to the DB by this way ?

Or else do I need to stick to this way ;( ?

$user = User::create((
            'name' => $request('name'),
            'phone' => $request('phone'),
            'email' => $request('email'),
            'password' => Hash::make($request('password')),
        ));

I just wanted my controllers to be clean with few lines of code.

Can someone please help me out.

Thanks

hash – Encrypting hashed password/salt with RSA before storing in the database

As you mentioned in a previous question, the goal of encrypting a hashed password is to add pepper to it, to make it harder (even impossible when a good pepper is used) to brute-force passwords, in the event that the database is breached.

Adding a pepper in a password-hashing function and symmetrically encrypting the hash are functionally equivalent. To obtain the recommended level of cryptographic security, the pepper or the key should be at least 128 bit long and chosen from a cryptographic strong uniformly random source.

Adding the random key as a pepper in the hashing function provides benefits over using the symmetric encryption of the hash:

  • The key does not need to be derived to ensure it conforms to its requirements by the encryption algorithm. The hashing function will take care of that.
  • It is less computationally expensive, while providing exactly the same amount of security. Moreover, most encryption libraries are made to encrypt messages of varying length, while using the fixed length of the hash equal to the block size of the encryption algorithm could allow optimizations (no padding for example). So, using a encryption library could introduce an useless overhead, even though it’s better to use a library rather than rolling your own cryptography.
  • It avoids to make mistakes in the use of encryption: no padding and no random nonce to handle. No weak choice of encryption algorithm possible.
  • It reduces the surface of attack and the maintenance cost: by not using yet another library, one avoids the potential bugs in it and the cost to keep it up-to-date.

Using asymmetric encryption, such as RSA, adds the following drawbacks over just hashing with a pepper:

  • It still needs a symmetric cipher, so all the previous points about symmetric encryption applies here.
  • The recipient and sender are the same: it’s the server. Both the public and private keys are in the same hands. Asymmetric encryption is a functionally useless layer over symmetric encryption here. See nobody’s answer for more details on this point.
  • It adds yet another algorithm, one that is far more error prone than symmetric encryption, as history has proven. Even cryptographers often make mistakes when using asymmetric encryption.
  • Asymmetric encryption if rather inefficient (read “slow”). Especially RSA, which is very slow and needs a very long key.
  • No optimization possible: the use of random nonce and correct padding handling is unavoidable. This is hard and a lot of cryptographic library fail here. Do not assume your code is safe even when correctly using a library: the library must be reviewed by a cryptographer (I write this from experience in my work, I cannot provide citations or examples for it, for confidentiality reasons).

On the other hand, in my knowledge, encrypting hashed passwords offers no real benefit over adding pepper; assuming the pepper is handled as a symmetric cryptographic key.

Claimed benefits cited by the OP in his other question are:

  • From stackoverflow and from security.SE: One can rotate the encryption keys. However, once the database is breached, that is useless: either the encryption is good, and changing the passwords or rotating the key is useless; or the encryption is weak and the passwords need to be changed.
  • From stackoverflow: Encryption is more secure than hashing. That’s wrong.
  • From stackoverflow “since he knows the salt and the output, he can brute force the pepper” The same applies with encryption. This is not an issue with a pepper handled as a key.

encryption – How to find the hashed password contained in an encrypted file?

I have an encrypted “*.pbl” file (100kb) that contain my forgotten password. My password is very easy: number+lower case letters with length=6. Once I find the Hashed password I’ll quickly recover my password.

Of course the hash of a file can be found but it is still not the hash of a password. How do I find the hashed password?

One thing I could possibly do is to create another account with another password; this way I can generate a new encrypted file with the exactly same format and I might be able to find the position of my passwords.


PS: I did check related post but obviously I don’t need to do things like SQL injection because the file has always been on my local machine.

Unable to connect to a chopped database / squilte database because there are no connection details for that, what do you mean by that? hashed data? [closed]

The application detects DB files from where I don't know?

encryption – Can the name and date of birth be hashed in one way or another to generate a secure ID?

I am working on a project that we intend to launch for developing countries and, therefore, we wish to limit the amount of information necessary for connection and identification, while preserving the privacy and individual security.

Speaking to the team, it became clear that passwords are prohibited, as users can end up accessing the service only when they have a third party offering the ability to access Internet (even once or twice a year). Remembering passwords, using email, or anything like that would not work in this scenario.

The bottom line is that I have to store data about each user, and I don't want to have a clue who it is. This is not particularly sensitive data, but I am trying to create something that preserves confidentiality as much as possible.

So I wonder how to identify users with information they know and don't need to put any extra effort in memory.

Consequently, we have limited the usable information to: Full name and date of birth (even DoB may be a problem for some). Intuitively, it doesn't seem like you can build something very secure with this data. A key flaw with the name and DoB is that one can easily browse all combinations of "John Smith" with all possible birth dates and find a matching hash.

Therefore, a rough solution we are thinking of is hashing the name and DoB and using it as "username" (everything happens in the background of course). Some additional steps would include scrambling the date of birth and adding salt to the hash.

Authentication would then be done via facial recognition. The idea is to encrypt a user image with a combination of name and DoB, so at least it is not as easily accessible to the database administrator.

A user would only log in with their name, DoB and image, in a system that would first search in hashes until they find a match, then decrypt the corresponding image and compare the two images to authorize or not the connection.

In summary, the user credentials would be something like:

SHA256(NAME + SCRAMBLED_DOB + SALT) => AES(PICTURE_DATA, (NAME+SCRAMBLED_DOB))

Salt could also be added to the image encryption, so that when connecting:

  1. All potential versions of SCRAMBLED_DOB are tested with multiple salts until a hash contained in the database is found
  2. This hash and this sequence of specific DoB digits found in step 1 are used to decrypt the image.
  3. The image is compared to the image submitted upon connection, which is then deleted

This process could be long, but depending How long, it may be acceptable in the name of confidentiality.

So basically what I'm wondering is:

  1. Would like SHA256(NAME + SCRAMBLED_DOB + SALT) be sufficiently secure, given the requirements of the project?
  2. Any suggestions for a better way to encrypt the image?
  3. Do you have any suggestions for this system as a whole?

Thanks in advance!