1

Let's say you have two user defined strings, X, Y and you want to hash them into the hash Z. That is what most websites would do, X is the user's password and Y is the salt. It takes a lot of time to turn Z back to X + Y.

What I am looking for, is this plus having the ability to get back X if given Y , Z. So if F was a function where F(X , Y) = Z (acting like SHA1, SHA2, etc), I want a function F' where F'(Z , Y) = X. Is there any kind of hashing algorithm that resembles this?

It looks like public-private key encryption where Y is your public key and X is your message, producing Z, then using a alternate Y private key you can combine it with the Z to recover your message X, but what I want is the ability for X, Y to be arbitrarily user defined. Is this theoretically possible? If so does there exist this kind of "Triangular" encryption algorithm?

I read about https://mysocialcloud.com/ today which is a service that holds ALL your internet passwords in one account. I am almost certain they are storing the passwords in plain text, or even if they encrypted, their server has both the key and the encrypted data, and if it is accessed by an attacker, they would be able to recover all of the users' passwords.

Then I thought about the kind of hashing I mentioned above, how it would work is:

A user sets a "security token" like a password, that is different to their account password. When the user enters their passwords on the services' form, the password is hashed, client side using the function F(X, Y) = Z where Y is their security token and Z is the "hash". Only the "hash" gets stored at the server. When the user wants to recover all of their stored passwords, the server sends the client the "hash"es, which can be decoded using the user's security token, in the client itself.

With this method the service won't be storing any password data in plain text.

Eric
  • 13
  • 2
  • 3
    The moment you make it reversible, it is nolonger hashing but encryption. And yes, if they are storing passwords to be used later they need to be able to decrypt them again, there is nothing inherently wrong with encrypted password databases if one can audit the code, all keys should be kept client side away from servers administrators...) – ewanm89 Jul 15 '12 at 10:17
  • Oh, and if password is the key, one needs a pretty good key derivation function PBKDF2/bcrypt/scrypt... – ewanm89 Jul 15 '12 at 10:19
  • "We are very secure and make sure to cover many angles to insure your data can never be compromised. Many often ask what exactly we do to make the data so secure. Unfortunately, one of the things that makes the site so secure is that we do not disclose the exact encryption practices." Sounds very competent to me... – CodesInChaos Jul 15 '12 at 22:11
  • @CodeInChaos That's why I use keepass2 and not some random unknown website. – ewanm89 Jul 16 '12 at 09:47

3 Answers3

3

Yes, this is same as Private Key Cryptography

Symmetric-key algorithms are a class of algorithms for cryptography that use the same cryptographic keys for both encryption of plaintext and decryption of ciphertext.

Z=F(X,Y) is same as C=F(P,K) where C=Ciphertext, F=symmetric algorithm used, P=plain text, and K=user defined key.

AES and Blowfish are two commonly used algorithms.

Nemo
  • 1,607
  • 1
  • 14
  • 11
2

If it's reversible, it's encryption, not a hash.

A well-known method for chaining block ciphers (i.e. AES, Blowfish, 3DES, etc.) is called Output Feedback (OFB). Essentially, instead of encrypting the plaintext, for each block you encrypt the previous block's output. This produces a steady stream of cryptographically-sound pseudo-random bits that you then XOR with your plaintext (à la RC4) to produce the crypto output.

With XOR transformations, if you XOR the output with either of the inputs, you get the other input, which sounds like it fits your scheme.

tylerl
  • 82,665
  • 26
  • 149
  • 230
1

Yes. Use a symmetric-key encryption algorithm to encrypt the data.

In more detail, treat X as the plaintext and Y as the key. Then Z can be obtained by encrypting X under key Y: Z = Encrypt(Y,X). If you have Y and Z, you can recover X by decrypting: treat Y as the key and Z as the ciphertext, and decrypt, i.e., X = Decrypt(Y,Z).

The security of this is only as good as the amount of entropy in Y. You need Y to be unguessable (e.g., have at least 80 bits of true entropy) for this to be secure. If Y is a password, this probably won't be highly secure, as most users choose low-entropy passwords.

But really, the question you are asking is about how to store passwords securely, in a way that the password can be recovered. The answer is to use reversible encryption, but to realize that now the handling of the decryption key is crucial: anyone who gets their hands on the decryption key can decrypt all of the passwords. So it is important to understand that this approach is not creating security out of thin air; it is shuffling around what you have to trust. You still have to keep that key very secure, and the $64,000 question is how to keep that key secure. The standard answer involves things like HSM (hardware security modules) or carefully-secured servers. This is guru-level stuff that you should not be attempting unless you are already experienced at computer security.

See also How should passwords be stored if they must be recoverable?, How to encrypt a password stored in a database (need to decrypt later), Could mint.com be more secure, and if so, how?.

D.W.
  • 98,860
  • 33
  • 271
  • 588