Question about MD5 !

Mad_T

I'm looking to store some client data in an MySQL DB but secure it as MD5 hash's.

I've looked around and can find examples of writing this to the DB as MD5 so I'm Ok with that.

One of my scripts will use the stored clients ip addess, username and password from my MySQL DB and then use that to login to a remote ldap server.(different server to the one the data is stored in) This works fine..

BUT if I use MD5 hashing will I still be able to resolve the IP Address ?
Will I be able to use the hashed username and password to log into the remote ldap server ?

Thanks

laserlight

No, you should use an encryption algorithm instead of a cryptographic hash algorithm. However, the problem is that the secret key would be stored on the server. If your database server can be compromised together with the web server then this encryption would be pointless.

Mad_T

Thanks

If the details are encrypted in the DB, will they still be usable ?

IE: encrypted URL will still resolve ? encrypted username & password, will still work when connecting the the remote database ?

any suggestion on the encryption etc ?

Thanks 🙂

dagon

If an attacker can obtain the db, then they will probably be able to get the key you use to encrypt the fields, so its of little value. Hashing the passwords makes sense but encrypting the db fields is overkill

laserlight

Mad_T wrote:
If the details are encrypted in the DB, will they still be usable ?

IE: encrypted URL will still resolve ? encrypted username & password, will still work when connecting the the remote database ?

No, you would need to decrypt them first. This is why I stated that you should use an encryption algorithm instead of a cryptographic hash algorithm for this. The problem is key management: you could store the key in a file outside your document root, but if an attacker gets access to both that file and the database, and knows the encryption algorithm (which is likely if he/she got access to that file), then he/she can also decrypt the details.

Mad_T wrote:
any suggestion on the encryption etc ?

There is [man]mcrypt[/man], and you probably would want to use something recognised like AES, but don't jump into this. Cryptography is not a quick fix.