How to securely and efficiently store SSN in a database?

Question

My main problem is that I would like to check if someone with the same SSN has multiple accounts with us. Currently all personally identifiable info is encrypted and decryption takes a non-trivial amount of time.

My initial idea was to add a ssn column to the user column in the database. Then I could simply do a query where I get all users with the ssn or user A.

I don't want to store the ssn in plaintext in the database. I was thinking of just salting and hashing it somehow.

My main question is, is this secure (or how secure is it)? What is there a simple way to salt and hash or encrypt and ssn using python?

Edit: The SSN's do not need to be displayed.

This is using a MySQL database.

Answer 1

Do not encrypt SSNs, when the attacker gets the DB he will also get the encryption key.

Just using a hash function is not sufficient and just adding a salt does little to improve the security.

Basically handle the SSNs inthe same mannor as passwords.

Instead iIterate over an HMAC with a random salt for about a 100ms duration and save the salt with the hash. Use functions such as PBKDF2 (aka Rfc2898DeriveBytes ), password_hash / password_verify , Bcrypt and similar functions. The point is to make the attacker spend a lot of time finding passwords by brute force. Protecting your users is important, please use secure password methods.

Answer 2

As per @zaph 's advice. I decided to use PBKDF2. I can then create a BIT column and index that.

My simple hashing looks like

import os
import hashlib


def hash_function(input_str):
    """Run pbkdf2_hmac with a 20byte salt, and 120,000 round on the input."""
    salt = os.urandom(20)
    return hashlib.pbkdf2_hmac('sha256', input_str, salt, 120000)

Answer 3

Your question doesn't make it clear if you need to display those SSNs. I'm going to assume you do not. Store the SSN in a SHA2 hash. You can then do a SQL query to search against those hashed values. Store only the last 4 digits encrypted for display.