My main problem is that I would like to check if someone with the same SSN has multiple accounts with us. Currently all personally identifiable info is encrypted and decryption takes a non-trivial amount of time.
My initial idea was to add a ssn column to the user column in the database. Then I could simply do a query where I get all users with the ssn or user A.
I don't want to store the ssn in plaintext in the database. I was thinking of just salting and hashing it somehow.
My main question is, is this secure (or how secure is it)? What is there a simple way to salt and hash or encrypt and ssn using python?
Edit: The SSN's do not need to be displayed.
This is using a MySQL database.
Do not encrypt SSNs, when the attacker gets the DB he will also get the encryption key.
Just using a hash function is not sufficient and just adding a salt does little to improve the security.
Basically handle the SSNs inthe same mannor as passwords.
Instead iIterate over an HMAC with a random salt for about a 100ms duration and save the salt with the hash. Use functions such as PBKDF2
(aka Rfc2898DeriveBytes
), password_hash
/ password_verify
, Bcrypt
and similar functions. The point is to make the attacker spend a lot of time finding passwords by brute force. Protecting your users is important, please use secure password methods.
As per @zaph 's advice. I decided to use PBKDF2. I can then create a BIT column and index that.
My simple hashing looks like
import os
import hashlib
def hash_function(input_str):
"""Run pbkdf2_hmac with a 20byte salt, and 120,000 round on the input."""
salt = os.urandom(20)
return hashlib.pbkdf2_hmac('sha256', input_str, salt, 120000)
Your question doesn't make it clear if you need to display those SSNs. I'm going to assume you do not. Store the SSN in a SHA2 hash. You can then do a SQL query to search against those hashed values. Store only the last 4 digits encrypted for display.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.