Detect duplicates without exposing underlying dataPassword Hashing: add salt + pepper or is salt enough?User authentication + database encryption with same passwordAPI message verification without storing private key?HMACs that have the same key and messageWhat's the recommended way to store at-rest, symmetrically encrypted customer data?How to store secret key used for hashing?Encrypt User specific Information without a password
Late 1970's and 6502 chip facilities for operating systems
What is the size of a set of sets of the empty set , , ?
My Project Manager does not accept carry-over in Scrum, Is that normal?
If an object moving in a circle experiences centripetal force, then doesn't it also experience centrifugal force, because of Newton's third law?
On the meaning of 'anyways' in "What Exactly Is a Quartz Crystal, Anyways?"
Why are there two fundamental laws of logic?
Is there any iPhone SE out there with 3D Touch?
Safe to use 220V electric clothes dryer when building has been bridged down to 110V?
Which place in our solar system is the most fit for terraforming?
Does Sitecore have support for Sitecore products in containers?
Organisational search option
Co-Supervisor comes to office to help her students which distracts me
Is there a way to hide HTML source code yet keeping it effective?
A simple game that keeps track of the number of questions asked
Is it a good idea to leave minor world details to the reader's imagination?
Why does this image of Jupiter look so strange?
Can I take NEW (still in their boxes) PC PARTS in my checked in luggage?
A food item only made possible by time-freezing storage?
Can Northern Ireland's border issue be solved by repartition?
Is it true that, "just ten trading days represent 63 per cent of the returns of the past 50 years"?
How do I set a custom order for folders on Windows 7 and 10?
extracting sublists
To what extent is it worthwhile to report check fraud / refund scams?
What Secular Civic Space Would Pioneers Build For Small Frontier Towns?
Detect duplicates without exposing underlying data
Password Hashing: add salt + pepper or is salt enough?User authentication + database encryption with same passwordAPI message verification without storing private key?HMACs that have the same key and messageWhat's the recommended way to store at-rest, symmetrically encrypted customer data?How to store secret key used for hashing?Encrypt User specific Information without a password
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
We have a scenario where we need to prevent two users from using the same identifier. The identifier is sensitive (e.g. a social security number), so we do not want to store it in our DB. We just want to store some sort of hash that allows us to prevent subsequent users from using it again. And we want to do it securely, so that in the event that the database ever leaked, an attacker could not figure out the original values.
Is it possible to do securely? What is the recommended way?
Based on some research, it seems like a HMAC might work. If that's the case, what's the recommended algorithm? Should it be something slow (like scrypt with a fixed key salt), so that if the key is ever exposed, it's still difficult to uncover the values? Or is there no protection against that?
encryption hash sha hmac scrypt
asked 11 hours ago
Peter WattsPeter Watts
211 bronze badge
New contributor
Peter Watts is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
|
show 6 more comments
We have a scenario where we need to prevent two users from using the same identifier. The identifier is sensitive (e.g. a social security number), so we do not want to store it in our DB. We just want to store some sort of hash that allows us to prevent subsequent users from using it again. And we want to do it securely, so that in the event that the database ever leaked, an attacker could not figure out the original values.
Is it possible to do securely? What is the recommended way?
Based on some research, it seems like a HMAC might work. If that's the case, what's the recommended algorithm? Should it be something slow (like scrypt with a fixed key salt), so that if the key is ever exposed, it's still difficult to uncover the values? Or is there no protection against that?
encryption hash sha hmac scrypt
asked 11 hours ago
Peter WattsPeter Watts
211 bronze badge
New contributor
Peter Watts is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
2
scrypt is not a HMAC, scrypt is a Key-Derivation Function. A KDF is just fine for these purposes. I recommend Argon2id.
– MechMK1
11 hours ago
2
How much "entropy" does your identifier have? For instance, if it is a social security number, then even a naive calculation suggests the total amount of entropy is low (9 digits = 1 billion possibilities), although actually entropy is much less than that even. As a result, hashing can be very ineffective, because brute-forcing is relatively easy, and extra care is needed. Is it actually a SSN, or is that just an example you picked?
– Conor Mancone
11 hours ago
@MechMK1 so you would use Argon2id with a fixed salt?
– Peter Watts
11 hours ago
1
@PeterWatts Why a fixed salt? That would make things worse. Argon2id has the ability to use a key, just like a HMAC would. Use a unique and sufficiently random salt, in combination with a long, sufficiently random key.
– MechMK1
11 hours ago
1
@MechMK1, I assume it's because the use case requires comparing equality.
– timuzhti
11 hours ago
|
show 6 more comments
We have a scenario where we need to prevent two users from using the same identifier. The identifier is sensitive (e.g. a social security number), so we do not want to store it in our DB. We just want to store some sort of hash that allows us to prevent subsequent users from using it again. And we want to do it securely, so that in the event that the database ever leaked, an attacker could not figure out the original values.
Is it possible to do securely? What is the recommended way?
Based on some research, it seems like a HMAC might work. If that's the case, what's the recommended algorithm? Should it be something slow (like scrypt with a fixed key salt), so that if the key is ever exposed, it's still difficult to uncover the values? Or is there no protection against that?
encryption hash sha hmac scrypt
asked 11 hours ago
Peter WattsPeter Watts
211 bronze badge
New contributor
Peter Watts is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
We have a scenario where we need to prevent two users from using the same identifier. The identifier is sensitive (e.g. a social security number), so we do not want to store it in our DB. We just want to store some sort of hash that allows us to prevent subsequent users from using it again. And we want to do it securely, so that in the event that the database ever leaked, an attacker could not figure out the original values.
Is it possible to do securely? What is the recommended way?
Based on some research, it seems like a HMAC might work. If that's the case, what's the recommended algorithm? Should it be something slow (like scrypt with a fixed key salt), so that if the key is ever exposed, it's still difficult to uncover the values? Or is there no protection against that?
encryption hash sha hmac scrypt
encryption hash sha hmac scrypt
asked 11 hours ago
Peter WattsPeter Watts
211 bronze badge
New contributor
Peter Watts is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 11 hours ago
Peter WattsPeter Watts
211 bronze badge
New contributor
Peter Watts is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 11 hours ago
Peter WattsPeter Watts
211 bronze badge
New contributor
Peter Watts is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 11 hours ago
Peter WattsPeter Watts
211 bronze badge
asked 11 hours ago
Peter WattsPeter Watts
211 bronze badge
211 bronze badge
New contributor
Peter Watts is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Peter Watts is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
2
scrypt is not a HMAC, scrypt is a Key-Derivation Function. A KDF is just fine for these purposes. I recommend Argon2id.
– MechMK1
11 hours ago
2
How much "entropy" does your identifier have? For instance, if it is a social security number, then even a naive calculation suggests the total amount of entropy is low (9 digits = 1 billion possibilities), although actually entropy is much less than that even. As a result, hashing can be very ineffective, because brute-forcing is relatively easy, and extra care is needed. Is it actually a SSN, or is that just an example you picked?
– Conor Mancone
11 hours ago
@MechMK1 so you would use Argon2id with a fixed salt?
– Peter Watts
11 hours ago
1
@PeterWatts Why a fixed salt? That would make things worse. Argon2id has the ability to use a key, just like a HMAC would. Use a unique and sufficiently random salt, in combination with a long, sufficiently random key.
– MechMK1
11 hours ago
1
@MechMK1, I assume it's because the use case requires comparing equality.
– timuzhti
11 hours ago
|
show 6 more comments
2
scrypt is not a HMAC, scrypt is a Key-Derivation Function. A KDF is just fine for these purposes. I recommend Argon2id.
– MechMK1
11 hours ago
2
How much "entropy" does your identifier have? For instance, if it is a social security number, then even a naive calculation suggests the total amount of entropy is low (9 digits = 1 billion possibilities), although actually entropy is much less than that even. As a result, hashing can be very ineffective, because brute-forcing is relatively easy, and extra care is needed. Is it actually a SSN, or is that just an example you picked?
– Conor Mancone
11 hours ago
@MechMK1 so you would use Argon2id with a fixed salt?
– Peter Watts
11 hours ago
1
@PeterWatts Why a fixed salt? That would make things worse. Argon2id has the ability to use a key, just like a HMAC would. Use a unique and sufficiently random salt, in combination with a long, sufficiently random key.
– MechMK1
11 hours ago
1
@MechMK1, I assume it's because the use case requires comparing equality.
– timuzhti
11 hours ago
2
2
scrypt is not a HMAC, scrypt is a Key-Derivation Function. A KDF is just fine for these purposes. I recommend Argon2id.
– MechMK1
11 hours ago
scrypt is not a HMAC, scrypt is a Key-Derivation Function. A KDF is just fine for these purposes. I recommend Argon2id.
– MechMK1
11 hours ago
2
2
How much "entropy" does your identifier have? For instance, if it is a social security number, then even a naive calculation suggests the total amount of entropy is low (9 digits = 1 billion possibilities), although actually entropy is much less than that even. As a result, hashing can be very ineffective, because brute-forcing is relatively easy, and extra care is needed. Is it actually a SSN, or is that just an example you picked?
– Conor Mancone
11 hours ago
How much "entropy" does your identifier have? For instance, if it is a social security number, then even a naive calculation suggests the total amount of entropy is low (9 digits = 1 billion possibilities), although actually entropy is much less than that even. As a result, hashing can be very ineffective, because brute-forcing is relatively easy, and extra care is needed. Is it actually a SSN, or is that just an example you picked?
– Conor Mancone
11 hours ago
@MechMK1 so you would use Argon2id with a fixed salt?
– Peter Watts
11 hours ago
@MechMK1 so you would use Argon2id with a fixed salt?
– Peter Watts
11 hours ago
1
1
@PeterWatts Why a fixed salt? That would make things worse. Argon2id has the ability to use a key, just like a HMAC would. Use a unique and sufficiently random salt, in combination with a long, sufficiently random key.
– MechMK1
11 hours ago
@PeterWatts Why a fixed salt? That would make things worse. Argon2id has the ability to use a key, just like a HMAC would. Use a unique and sufficiently random salt, in combination with a long, sufficiently random key.
– MechMK1
11 hours ago
1
1
@MechMK1, I assume it's because the use case requires comparing equality.
– timuzhti
11 hours ago
@MechMK1, I assume it's because the use case requires comparing equality.
– timuzhti
11 hours ago
|
show 6 more comments
1 Answer
1
active
oldest
votes
I think you're not too far from a possible solution (aka using a modern KDF and effectively treating this like a password). However, there are some more considerations (which were already mentioned in comments):
- SSNs have very low entropy, which means that brute-force is an especially easy attack
- Since you need to find if the SSN has been used anywhere, you basically have to operate without a salt, which also makes brute-forcing substantially easier.
The combination of 1 & 2 would make a KDF a bad idea, even though it is your only option. As a result, finding a different business solution may be in order. However, I think there are a few steps you can take to mitigate the risk if SSN matching is an absolute requirement:
- Make sure and use a large "pepper". Peppers are less commonly used with passwords, so in case you aren't familiar: using a pepper basically means adding a large, constant, random string to the SSN before hashing which is not stored in the database. In this case I would use an especially long pepper. So in practice, this means that you create a 256 bit key that is not stored in the database or codebase but which is added to the SSN before hashing it. You would store it in an environment variable in your production server, or in your CD pipeline, so it is not readily accessible to developers (since they are sometimes the attacker, unfortunately). The reason for this is that if your database leaks but the attacker doesn't have the pepper, then they cannot bruteforce the SSNs (because bruteforcing the SSN would basically require first bruteforcing your 256 bit key, which is impossible).
- Use a very large cost function. All modern KDFs have a configurable cost function, that increases the time it takes to buid the hash (therefore making brute force harder). For something like this I'd set an even-higher-than-usual cost function. I'd probably tune it so that your systems take 1-2 seconds to hash the SSN+pepper. Go even higher if your users can tolerate the wait! This won't fix your bruteforce issue, but it will help.
- Anonymize these hashed SSNs! Basically, store them in a table by themselves with no way to associate them with any other data in the system (i.e. don't assign an autoincrementing id to this table or an entry time, since those might correlate with other tables). Have one table with just one column that is for this purpose and this purpose only. While the SSN alone is still personal information, it is much less dangerous to your users if it is leaked by itself without any further information. Having a table with just the hashed SSNs will still allow you to verify if an SSN has been entered before, so your overall goal can still be accomplished.
So again, your best bet might simply be to find a completely different way to do this without using SSNs. However, if this is an absolute business requirement, then the above steps can go a long way to securing your customer's personal data. Still, I would also check with regulatory requirements for your industry to make sure that you abide by all applicable rules.
answered 9 hours ago
Conor ManconeConor Mancone
15.6k7 gold badges47 silver badges64 bronze badges
Ah! I had not considered that 3rd step. While it would be nice to know which user was associated with the re-used identifier, it's not critical, and seems like a reasonable tradeoff.
– Peter Watts
5 hours ago
1
The problem with storing the SSN with no identifying information is that it provides no recourse in the case of a collision. A hacker could (for example) enroll thousands of random SSNs in an application DoS attack, denying legitimate users the ability to use their own SSN if they are unfortunate enough to collide.
– John Wu
2 hours ago
1
Maybe a hardware security module can be used to store the pepper, if a suitable one can be found, to make it even harder to steal.
– timuzhti
1 hour ago
add a comment
|
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/4.0/"u003ecc by-sa 4.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Peter Watts is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f218360%2fdetect-duplicates-without-exposing-underlying-data%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
I think you're not too far from a possible solution (aka using a modern KDF and effectively treating this like a password). However, there are some more considerations (which were already mentioned in comments):
- SSNs have very low entropy, which means that brute-force is an especially easy attack
- Since you need to find if the SSN has been used anywhere, you basically have to operate without a salt, which also makes brute-forcing substantially easier.
The combination of 1 & 2 would make a KDF a bad idea, even though it is your only option. As a result, finding a different business solution may be in order. However, I think there are a few steps you can take to mitigate the risk if SSN matching is an absolute requirement:
- Make sure and use a large "pepper". Peppers are less commonly used with passwords, so in case you aren't familiar: using a pepper basically means adding a large, constant, random string to the SSN before hashing which is not stored in the database. In this case I would use an especially long pepper. So in practice, this means that you create a 256 bit key that is not stored in the database or codebase but which is added to the SSN before hashing it. You would store it in an environment variable in your production server, or in your CD pipeline, so it is not readily accessible to developers (since they are sometimes the attacker, unfortunately). The reason for this is that if your database leaks but the attacker doesn't have the pepper, then they cannot bruteforce the SSNs (because bruteforcing the SSN would basically require first bruteforcing your 256 bit key, which is impossible).
- Use a very large cost function. All modern KDFs have a configurable cost function, that increases the time it takes to buid the hash (therefore making brute force harder). For something like this I'd set an even-higher-than-usual cost function. I'd probably tune it so that your systems take 1-2 seconds to hash the SSN+pepper. Go even higher if your users can tolerate the wait! This won't fix your bruteforce issue, but it will help.
- Anonymize these hashed SSNs! Basically, store them in a table by themselves with no way to associate them with any other data in the system (i.e. don't assign an autoincrementing id to this table or an entry time, since those might correlate with other tables). Have one table with just one column that is for this purpose and this purpose only. While the SSN alone is still personal information, it is much less dangerous to your users if it is leaked by itself without any further information. Having a table with just the hashed SSNs will still allow you to verify if an SSN has been entered before, so your overall goal can still be accomplished.
So again, your best bet might simply be to find a completely different way to do this without using SSNs. However, if this is an absolute business requirement, then the above steps can go a long way to securing your customer's personal data. Still, I would also check with regulatory requirements for your industry to make sure that you abide by all applicable rules.
answered 9 hours ago
Conor ManconeConor Mancone
15.6k7 gold badges47 silver badges64 bronze badges
Ah! I had not considered that 3rd step. While it would be nice to know which user was associated with the re-used identifier, it's not critical, and seems like a reasonable tradeoff.
– Peter Watts
5 hours ago
1
The problem with storing the SSN with no identifying information is that it provides no recourse in the case of a collision. A hacker could (for example) enroll thousands of random SSNs in an application DoS attack, denying legitimate users the ability to use their own SSN if they are unfortunate enough to collide.
– John Wu
2 hours ago
1
Maybe a hardware security module can be used to store the pepper, if a suitable one can be found, to make it even harder to steal.
– timuzhti
1 hour ago
add a comment
|
I think you're not too far from a possible solution (aka using a modern KDF and effectively treating this like a password). However, there are some more considerations (which were already mentioned in comments):
- SSNs have very low entropy, which means that brute-force is an especially easy attack
- Since you need to find if the SSN has been used anywhere, you basically have to operate without a salt, which also makes brute-forcing substantially easier.
The combination of 1 & 2 would make a KDF a bad idea, even though it is your only option. As a result, finding a different business solution may be in order. However, I think there are a few steps you can take to mitigate the risk if SSN matching is an absolute requirement:
- Make sure and use a large "pepper". Peppers are less commonly used with passwords, so in case you aren't familiar: using a pepper basically means adding a large, constant, random string to the SSN before hashing which is not stored in the database. In this case I would use an especially long pepper. So in practice, this means that you create a 256 bit key that is not stored in the database or codebase but which is added to the SSN before hashing it. You would store it in an environment variable in your production server, or in your CD pipeline, so it is not readily accessible to developers (since they are sometimes the attacker, unfortunately). The reason for this is that if your database leaks but the attacker doesn't have the pepper, then they cannot bruteforce the SSNs (because bruteforcing the SSN would basically require first bruteforcing your 256 bit key, which is impossible).
- Use a very large cost function. All modern KDFs have a configurable cost function, that increases the time it takes to buid the hash (therefore making brute force harder). For something like this I'd set an even-higher-than-usual cost function. I'd probably tune it so that your systems take 1-2 seconds to hash the SSN+pepper. Go even higher if your users can tolerate the wait! This won't fix your bruteforce issue, but it will help.
- Anonymize these hashed SSNs! Basically, store them in a table by themselves with no way to associate them with any other data in the system (i.e. don't assign an autoincrementing id to this table or an entry time, since those might correlate with other tables). Have one table with just one column that is for this purpose and this purpose only. While the SSN alone is still personal information, it is much less dangerous to your users if it is leaked by itself without any further information. Having a table with just the hashed SSNs will still allow you to verify if an SSN has been entered before, so your overall goal can still be accomplished.
So again, your best bet might simply be to find a completely different way to do this without using SSNs. However, if this is an absolute business requirement, then the above steps can go a long way to securing your customer's personal data. Still, I would also check with regulatory requirements for your industry to make sure that you abide by all applicable rules.
answered 9 hours ago
Conor ManconeConor Mancone
15.6k7 gold badges47 silver badges64 bronze badges
Ah! I had not considered that 3rd step. While it would be nice to know which user was associated with the re-used identifier, it's not critical, and seems like a reasonable tradeoff.
– Peter Watts
5 hours ago
1
The problem with storing the SSN with no identifying information is that it provides no recourse in the case of a collision. A hacker could (for example) enroll thousands of random SSNs in an application DoS attack, denying legitimate users the ability to use their own SSN if they are unfortunate enough to collide.
– John Wu
2 hours ago
1
Maybe a hardware security module can be used to store the pepper, if a suitable one can be found, to make it even harder to steal.
– timuzhti
1 hour ago
add a comment
|
I think you're not too far from a possible solution (aka using a modern KDF and effectively treating this like a password). However, there are some more considerations (which were already mentioned in comments):
- SSNs have very low entropy, which means that brute-force is an especially easy attack
- Since you need to find if the SSN has been used anywhere, you basically have to operate without a salt, which also makes brute-forcing substantially easier.
The combination of 1 & 2 would make a KDF a bad idea, even though it is your only option. As a result, finding a different business solution may be in order. However, I think there are a few steps you can take to mitigate the risk if SSN matching is an absolute requirement:
- Make sure and use a large "pepper". Peppers are less commonly used with passwords, so in case you aren't familiar: using a pepper basically means adding a large, constant, random string to the SSN before hashing which is not stored in the database. In this case I would use an especially long pepper. So in practice, this means that you create a 256 bit key that is not stored in the database or codebase but which is added to the SSN before hashing it. You would store it in an environment variable in your production server, or in your CD pipeline, so it is not readily accessible to developers (since they are sometimes the attacker, unfortunately). The reason for this is that if your database leaks but the attacker doesn't have the pepper, then they cannot bruteforce the SSNs (because bruteforcing the SSN would basically require first bruteforcing your 256 bit key, which is impossible).
- Use a very large cost function. All modern KDFs have a configurable cost function, that increases the time it takes to buid the hash (therefore making brute force harder). For something like this I'd set an even-higher-than-usual cost function. I'd probably tune it so that your systems take 1-2 seconds to hash the SSN+pepper. Go even higher if your users can tolerate the wait! This won't fix your bruteforce issue, but it will help.
- Anonymize these hashed SSNs! Basically, store them in a table by themselves with no way to associate them with any other data in the system (i.e. don't assign an autoincrementing id to this table or an entry time, since those might correlate with other tables). Have one table with just one column that is for this purpose and this purpose only. While the SSN alone is still personal information, it is much less dangerous to your users if it is leaked by itself without any further information. Having a table with just the hashed SSNs will still allow you to verify if an SSN has been entered before, so your overall goal can still be accomplished.
So again, your best bet might simply be to find a completely different way to do this without using SSNs. However, if this is an absolute business requirement, then the above steps can go a long way to securing your customer's personal data. Still, I would also check with regulatory requirements for your industry to make sure that you abide by all applicable rules.
answered 9 hours ago
Conor ManconeConor Mancone
15.6k7 gold badges47 silver badges64 bronze badges
I think you're not too far from a possible solution (aka using a modern KDF and effectively treating this like a password). However, there are some more considerations (which were already mentioned in comments):
- SSNs have very low entropy, which means that brute-force is an especially easy attack
- Since you need to find if the SSN has been used anywhere, you basically have to operate without a salt, which also makes brute-forcing substantially easier.
The combination of 1 & 2 would make a KDF a bad idea, even though it is your only option. As a result, finding a different business solution may be in order. However, I think there are a few steps you can take to mitigate the risk if SSN matching is an absolute requirement:
- Make sure and use a large "pepper". Peppers are less commonly used with passwords, so in case you aren't familiar: using a pepper basically means adding a large, constant, random string to the SSN before hashing which is not stored in the database. In this case I would use an especially long pepper. So in practice, this means that you create a 256 bit key that is not stored in the database or codebase but which is added to the SSN before hashing it. You would store it in an environment variable in your production server, or in your CD pipeline, so it is not readily accessible to developers (since they are sometimes the attacker, unfortunately). The reason for this is that if your database leaks but the attacker doesn't have the pepper, then they cannot bruteforce the SSNs (because bruteforcing the SSN would basically require first bruteforcing your 256 bit key, which is impossible).
- Use a very large cost function. All modern KDFs have a configurable cost function, that increases the time it takes to buid the hash (therefore making brute force harder). For something like this I'd set an even-higher-than-usual cost function. I'd probably tune it so that your systems take 1-2 seconds to hash the SSN+pepper. Go even higher if your users can tolerate the wait! This won't fix your bruteforce issue, but it will help.
- Anonymize these hashed SSNs! Basically, store them in a table by themselves with no way to associate them with any other data in the system (i.e. don't assign an autoincrementing id to this table or an entry time, since those might correlate with other tables). Have one table with just one column that is for this purpose and this purpose only. While the SSN alone is still personal information, it is much less dangerous to your users if it is leaked by itself without any further information. Having a table with just the hashed SSNs will still allow you to verify if an SSN has been entered before, so your overall goal can still be accomplished.
So again, your best bet might simply be to find a completely different way to do this without using SSNs. However, if this is an absolute business requirement, then the above steps can go a long way to securing your customer's personal data. Still, I would also check with regulatory requirements for your industry to make sure that you abide by all applicable rules.
answered 9 hours ago
Conor ManconeConor Mancone
15.6k7 gold badges47 silver badges64 bronze badges
answered 9 hours ago
Conor ManconeConor Mancone
15.6k7 gold badges47 silver badges64 bronze badges
answered 9 hours ago
Conor ManconeConor Mancone
15.6k7 gold badges47 silver badges64 bronze badges
answered 9 hours ago
Conor ManconeConor Mancone
15.6k7 gold badges47 silver badges64 bronze badges
15.6k7 gold badges47 silver badges64 bronze badges
Ah! I had not considered that 3rd step. While it would be nice to know which user was associated with the re-used identifier, it's not critical, and seems like a reasonable tradeoff.
– Peter Watts
5 hours ago
1
The problem with storing the SSN with no identifying information is that it provides no recourse in the case of a collision. A hacker could (for example) enroll thousands of random SSNs in an application DoS attack, denying legitimate users the ability to use their own SSN if they are unfortunate enough to collide.
– John Wu
2 hours ago
1
Maybe a hardware security module can be used to store the pepper, if a suitable one can be found, to make it even harder to steal.
– timuzhti
1 hour ago
add a comment
|
Ah! I had not considered that 3rd step. While it would be nice to know which user was associated with the re-used identifier, it's not critical, and seems like a reasonable tradeoff.
– Peter Watts
5 hours ago
1
The problem with storing the SSN with no identifying information is that it provides no recourse in the case of a collision. A hacker could (for example) enroll thousands of random SSNs in an application DoS attack, denying legitimate users the ability to use their own SSN if they are unfortunate enough to collide.
– John Wu
2 hours ago
1
Maybe a hardware security module can be used to store the pepper, if a suitable one can be found, to make it even harder to steal.
– timuzhti
1 hour ago
Ah! I had not considered that 3rd step. While it would be nice to know which user was associated with the re-used identifier, it's not critical, and seems like a reasonable tradeoff.
– Peter Watts
5 hours ago
Ah! I had not considered that 3rd step. While it would be nice to know which user was associated with the re-used identifier, it's not critical, and seems like a reasonable tradeoff.
– Peter Watts
5 hours ago
1
1
The problem with storing the SSN with no identifying information is that it provides no recourse in the case of a collision. A hacker could (for example) enroll thousands of random SSNs in an application DoS attack, denying legitimate users the ability to use their own SSN if they are unfortunate enough to collide.
– John Wu
2 hours ago
The problem with storing the SSN with no identifying information is that it provides no recourse in the case of a collision. A hacker could (for example) enroll thousands of random SSNs in an application DoS attack, denying legitimate users the ability to use their own SSN if they are unfortunate enough to collide.
– John Wu
2 hours ago
1
1
Maybe a hardware security module can be used to store the pepper, if a suitable one can be found, to make it even harder to steal.
– timuzhti
1 hour ago
Maybe a hardware security module can be used to store the pepper, if a suitable one can be found, to make it even harder to steal.
– timuzhti
1 hour ago
add a comment
|
Peter Watts is a new contributor. Be nice, and check out our Code of Conduct.
Peter Watts is a new contributor. Be nice, and check out our Code of Conduct.
Peter Watts is a new contributor. Be nice, and check out our Code of Conduct.
Peter Watts is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f218360%2fdetect-duplicates-without-exposing-underlying-data%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
2
scrypt is not a HMAC, scrypt is a Key-Derivation Function. A KDF is just fine for these purposes. I recommend Argon2id.
– MechMK1
11 hours ago
2
How much "entropy" does your identifier have? For instance, if it is a social security number, then even a naive calculation suggests the total amount of entropy is low (9 digits = 1 billion possibilities), although actually entropy is much less than that even. As a result, hashing can be very ineffective, because brute-forcing is relatively easy, and extra care is needed. Is it actually a SSN, or is that just an example you picked?
– Conor Mancone
11 hours ago
@MechMK1 so you would use Argon2id with a fixed salt?
– Peter Watts
11 hours ago
1
@PeterWatts Why a fixed salt? That would make things worse. Argon2id has the ability to use a key, just like a HMAC would. Use a unique and sufficiently random salt, in combination with a long, sufficiently random key.
– MechMK1
11 hours ago
1
@MechMK1, I assume it's because the use case requires comparing equality.
– timuzhti
11 hours ago