๐ Allow a Webapp to send emails to the subscribed users... Addresses in plain text?
๐ก Newskategorie: IT Security Nachrichten
๐ Quelle: reddit.com
For example: "someone tried to log into your account" or "click this link to confirm your identity" or to an administrator "this user asked for more privileges"...
I can't think about many solutions:
- Email address in plain text into the database, a little bit scary.
- Email encrypted with symmetric or asymmetric keys is pointless, it simply slows down an attacker.
- Email hashed, instead of the username, the emails stored in a db table: when a user logs in giving the email as part of his authentication the server can retrieve the emails for that user from the db and forward them to him.
The last one is by far the most secure solution I can think of, but it reduces the availability a lot! In most scenarios the hashed email is ok: for violation attacks to a given username or for confirmation emails the server for example. In other situation it slows down the system, for example if a user wants more privileges urgently...
Another problem rises: a username can have a great entropy, an email address is usually far easier to remember, the whole point of an email address is to be easy to remember. Since I can't salt the username/email-address a dictionary or rainbow table attack on the email would be effective...
- h[username] and h[password,salt] k_u[email-address] with k_u = h[username,salt2] and salt2 stored in plain_text in the DB...
This increases the secrecy of the email-address, the table by 2 more columns, what about the security of the whole system?
// With an hashed address the server can easily read the email at login and send messages over: select * from login where addr = h[address] select * from emails where emails.user_id = login.user_id if the selection returned something send emails to "address" and delete the messages from the db check password, roles, etc... // With a login table like <user_id, h[user] as user, h[pass,salt], k[address], salt2> select * from login where user = h[user] select * from emails where emails.user_id = login.user_id if there are new emails for the user k = h[user,salt2] address = k[k[address]] send emails to address delete the emails from the table check password, roles, etc...
The cost of the two lines needed to decrypt the email-address is worth the increased security?
EDIT: anyway both the solutions I can think of to keep the address secret decrese the availability of the functionality I want to add... Is there another solution to keep the email secure? (The main focus here are confidentiality and integrity over availability, still certain emails are urgent enough to reduce the security of the system if i can't promptly send them over)
[link] [comments] ...