1

I posted a question here...

Protecting Password Hashes with Store Procedures?

...where I asked about denying a website's database user CRUD access to the tables that store password hashes except through stored procedures which only check equality, and don't return the hashes. This would seem to make it impossible to dump the hashes via SQL injection.

The user who posted the answer I accepted, though, mentioned a "dedicated password verification server." I tried to find more information about this but I couldn't...

What are some dedicated password verification server solutions for ASP.NET and what companies use them? Can anyone point me to some information about how they work?

Community
  • 1
John
  • 2,262
  • 2
  • 28
  • 45

1 Answers1

1

He's probably referencing a Hardware Security Module (HSM), which is a single-purpose dedicated hardware device designed to store secrets in a way that protects data even if an attacker has unrestricted physical access to the device.

The idea of these devices is that you pass it data, it encrypts or hashes it, then stores it in a secure storage device. When you want to verify a value, you pass the data to it and it performs the checks for you. That way it doesn't reveal the data at all - it just checks the password for you.

Polynomial
  • 133,763
  • 43
  • 302
  • 380
  • Ok, is there anything similar to this that's software-based? – John May 15 '13 at 15:25
  • 1
    @John Not really. The whole benefit of a HSM is that isn't a general purpose computing device, so it's much more difficult to attack in traditional ways. – Polynomial May 15 '13 at 15:27
  • @John ultimately it **is** software based. But the software is burned into a device that doesn't expose any access interface other than what is required. Often such devices also have tamper-resistent hardware features as well. You COULD implement this same sort of features and interface into a general-purpose computer, but that would arguably defeat the purpose. – tylerl May 16 '13 at 05:22
  • @tylerl Do companies ever implement a separate password validation server on a general purpose computer? I'm curious if this approach is used at all since it does seem to add a nice layer of protection. – John May 17 '13 at 16:53
  • @John Typically companies store authentication hashes in the user table. While authentication devices may be better, in practice it's seldom (if ever) actually used. – tylerl May 17 '13 at 17:42