What is the KEY used in the frameworks?

Question

What is the KEY used in the frameworks?

Navigation

#1 by (2 votes)

-1

Generally, when I see systems that have been done without the use of frameworks, there is no use of keys .

However, all the frameworks I have used to date, they all require you to set a key (key) for your application to work.

An example of this is Laravel , where you have a similar configuration:

  /*
    |--------------------------------------------------------------------------
    | Encryption Key
    |--------------------------------------------------------------------------
    |
    | This key is used by the Illuminate encrypter service and should be set
    | to a random, 32 character string, otherwise these encrypted strings
    | will not be safe. Please do this before deploying an application!
    |
    */

    'key' => 'A5CNJaYsFnpC9jpkbAk1nOI1ETUBsJOP',

What is the key used in frameworks?

Is this related to some security scheme?

framework

asked by anonymous 15.04.2016 / 19:55

1 answer

Validate number of characters of username Problem with ID Selector in CSS

score 2 · Answer 1

It is used for SALT of hashing in PHP

Larravel works on password_hash library to generate password protected keys.

Check out:

Illuminate\Hashing\BcryptHasher line 30

    public function make($value, array $options = [])
    {
        $cost = isset($options['rounds']) ? $options['rounds'] : $this->rounds;

        $hash = password_hash($value, PASSWORD_BCRYPT, ['cost' => $cost]);

        if ($hash === false) {
            throw new RuntimeException('Bcrypt hashing not supported.');
        }

        return $hash;
    }

This random combination will be the salt for hashing. Each KEY will always generate a different hash. This prevents you from invading your bank and discovering your customers' passwords. Since in this example you will only have access to the password hash, which is a one way hash.

Never let this key be accessed because it is linked directly to the hashing of your passwords.

But how come? Hashing? Salt? Cost?

Come on, I'm not an expert in this industry but I'll try to help you.

Hashing

Hashing is a method of "hiding" the password or some other text from "intruders". Let's for example:

See this string:

$2y$10$ZxqbuwvAYAGvhQgl0C9Kh.q.UWCdL1eQg4SMqbrfbvnjX4rOl2AcW

Can you tell what your real value is?

This string is a hash of a password, which in this case is: 102030

My application with a single SALT generated this string as 102030 .

Does that hash of the 102030 password in my application equal to yours? No, never. Because the KEYS (SALT) are unique.

Salt

salt - to manually provide a salt to use when hashing the password. Note that this will override and prevent a salt from being automatically generated.

Salt is a combination of characters that will be used as a "key" to the hash of your strings.

Cost

cost - which denotes the algorithmic cost that should be used. Examples of these values can be found on the crypt () page.

Cost is what the word already says: Cost. When will this hashing cost for the processor to be processed? Remember that: The higher the cost, the less chance someone will make brute force attack in your application, BECAUSE your processor you'll have more work every time someone else enters the password.

Okay, but how does an application know that the user entered the correct password while being "encrypted"?

By comparison method, young.

Let's start from the example that a password is generated on KEY x with COST 10.

If the user type password% with% ALWAYS will be generated equal strings, since the key did not change nor the cost.

So beware of the 102030 of your application, it is important for this security factor. If someone finds out you will be closer to discovering the passwords in your bank, or if you change it all the passwords of your bank will be invalid.

Correction

Laravel does not use SALT to generate the passwords, but uses it for library KEY which is set to key in Encryption Outside that is the same ideology.