All of the hashes and encryption methods are found in Witango by using the built-in Meta Tag @CIPHER.
<@CIPHER ACTION=action TYPE=type STR=string [KEY=key] [KEYTYPE] [ENCODING= encoding]> Hashes are perfect for a password; you don't need to store the password itself, just the hash of the password. For additional security you would append and/or prepend a "salt<http://en.wikipedia.org/wiki/Salt_(cryptography)>" or a "nonce <http://en.wikipedia.org/wiki/Cryptographic_nonce>" to the password before hashing. When comparing, you'd need to be able to find the salt and/or nonce again before hashing the raw password provided; Then compare the two hashes. Or, as a shortcut, you can remember that "salt" makes hash taste better. ;-) SHA256 and SHA512 are the current standard, and would be best if you need very high security. However, for most of our password applications, SHA (aka SHA-1), or even MD5, is likely to be good enough for the level of security our applications require. However, the larger/longer the hash, the more computations required. And, because of the size/length of numbers used for SHA224 and SAH512, the calculations are mostly done by software libraries; these are not offloaded to the FPU, which means it takes much longer to calculate. There are also JavaScript implimentations available for _all_ of these hash algorthms in case you wish to move of some of the processing client-side, or else (perhaps in the future) port this to ASP, etc. It's also useful to have these in JS because, at least on Windows, Witango uses the underlying OS to help perform these claculations; however the OS may not impliment them all (ie, SHA512 isn't available on Windows Server 2000) so having an implimentation of these in JS provides a way for you to still be able to use them within Witango. When you are wanting to save Credit Card numbers, you will certainly want an reversable encryption mechanism; and something which is reasonably strong. Witango has four reasonable encryption methods to do this built-in: TripleDES, Rijndael, Blowfish, MARS. The trick here is in how you create/store the key. Never store the key with CC#. And be mindful of the key lengths. Others already mentioned that you'll want to play around with these before you use them, and I am goin to re-ietrate that. Do a bit of reading, and spend at least a day or two trying out the encrypting/decrypting and hashing features before you decide which will best suit your needs. As you play you start to see for yourself the tradeoffs in Speed Vs. Security which can help you make your decision. Anthony - On 11/24/09, Roland Dumas <radu...@mac.com> wrote: > > thank you. I'm ignorant about these things and need more explicit steps: > > how does one "hash" a string? There's no <@hash> tag in witango > > What if you really want the unhashed string back out? Say, a credit card > number? > > > > > On Nov 24, 2009, at 8:17 AM, Beverly Voth wrote: > > > On 11/24/09 11:08 AM, "Roland Dumas" <radu...@mac.com> wrote in whole or > in > > part: > > > >> > >> How does one insert a field into a database - mysql - so that it ends up > >> encrypted? > >> Needless to say, the field must be unencryptable in order to compare it > to > >> submissions, as in a password, or unencryptable for export, as in a cc > number. > >> > >> How does this work? > > > > Typically, the data is hashed before INSERT. Then the data to "compare" > is > > also hashed and the two are compared. You don't need to "un-hash" the > stored > > information before comparison. > > > > <http://en.wikipedia.org/wiki/Cryptographic_hash_function> > > > > Beverly Voth > > > > ________________________________________________________________________ > > TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf > > > ________________________________________________________________________ > TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf > > ________________________________________________________________________ TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf
