- Get link
- Other Apps
First
of all I want to clear that bcrypt is not a hash algorithm. They're
2 different things, designed to be used for different tasks. There is
no 'correct' answer to "is
bcrypt encryption better than hash algorithms?" You
might as well ask "are
apples better than kangaroos?". Since
bcrypt can be used in
place of a hash algorithm to
protect passwords, bcrypt is confusingly referred to as a "hash"
algorithm itself. bcrypt is an algorithm that uses Blowfish
internally. It is not an encryption algorithm itself. It is used to
irreversibly obscure passwords, just as hash functions are used to do
a "one-way hash".
video source: youtube
Yes,
cryptographic hash algorithms (MD5, SHA1, SHA256, SHA512, SHA-3, etc) are only one way encryption technique so
impossible to reverse. When user provides password for logging in,
the alorithm encrypts it and compare with password stored in
database. If both encrypted hashes match, user would be authenticated
else not. In particular, because of the irreversibility of the hash
function, it's assumed that the user isn't an attacker that got hold
of the hash and reversed it to find a working password.
On
the other hand, bcrypt uses Blowfish
for encryption, using a key 'derived' from the password. It only
stores cyphertext in database and never stores salt in database.
Later, when user provides password, the key derived again and compare
with stored cyphertext then the user will be authenticated. So, just
like hash algorithms, bcrypt produces an irreversible output from a
password, salt and stretches. To break this cryptography, an attcker
would have to know the key from the cyphertext. This attack is known
as 'known-plaintext', since the attacker knows the string that has
been encrypted, but not the key used for it. Blowfish has been
studied extensively, and no
attacks are yet known that would allow an attacker to find the key
with a single known plaintext.
So,
my recommendation is to bcrypt stems from the assumptions
- that a Blowfish has had a similar level of scrutiny as the SHA-2 family of hash functions, and
- that cryptanalytic methods for ciphers are better developed than those for hash functions.
Let me know if you have some other or similar views.
Thanks
to Erickson
Comments
Post a Comment