如何安全有效地将SSN存储在数据库中? [英] How to securely and efficiently store SSN in a database?
问题描述
我的主要问题是,我想检查一个具有相同SSN的人是否与我们有多个帐户。目前所有的个人识别信息都是经过加密的,而且解密花费的时间并不是很多。
我最初的想法是在数据库的用户列中添加一个ssn列。然后,我可以简单地做一个查询,让所有用户使用ssn或用户A.
我不想在数据库中以明文存储ssn。我想只是腌制和散列它。
我的主要问题是,这是安全的(或它有多安全)?有什么简单的方法来使用python进行加密和散列或加密和ssn?
编辑:不需要显示SSN。
这是使用MySQL数据库。
不要加密SSN,攻击者获取DB,他也会得到加密密钥。
仅使用哈希函数是不够的,仅仅添加盐对提高安全性没有多大作用。
$ b
基本上以与密码相同的方式处理SSN。
取而代之的是用随机盐对HMAC进行大约100毫秒的持续时间并保存与散列的盐。使用诸如 PBKDF2 (aka Rfc2898DeriveBytes ), password_hash / password_verify , Bcrypt 以及类似的函数。关键是要让攻击者花费大量时间通过强力查找密码。保护您的用户非常重要,请使用安全的密码方法。
My main problem is that I would like to check if someone with the same SSN has multiple accounts with us. Currently all personally identifiable info is encrypted and decryption takes a non-trivial amount of time.
My initial idea was to add a ssn column to the user column in the database. Then I could simply do a query where I get all users with the ssn or user A.
I don't want to store the ssn in plaintext in the database. I was thinking of just salting and hashing it somehow.
My main question is, is this secure (or how secure is it)? What is there a simple way to salt and hash or encrypt and ssn using python?
Edit: The SSN's do not need to be displayed.
This is using a MySQL database.
Do not encrypt SSNs, when the attacker gets the DB he will also get the encryption key.
Just using a hash function is not sufficient and just adding a salt does little to improve the security.
Basically handle the SSNs inthe same mannor as passwords.
Instead iIterate over an HMAC with a random salt for about a 100ms duration and save the salt with the hash. Use functions such as PBKDF2 (aka Rfc2898DeriveBytes), password_hash/password_verify, Bcrypt and similar functions. The point is to make the attacker spend a lot of time finding passwords by brute force. Protecting your users is important, please use secure password methods.
这篇关于如何安全有效地将SSN存储在数据库中?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
