Inserting encrypted password using RSACryptoServiceProvider class into DB?

Question

I have WCF service that being used by clients, and the following is my current implementation for user authentication, I want a recommendation to enhance it or better mechanism.

• I am using RSACryptoServiceProvider class (RSA implementation) to save encrypted user passwords into database

• The client should encrypt password every log-in using public key (stored in file) and send it to logging method with user name

• On the server side the log-in method select the encrypted password for the supplied user name and compare decrypted passwords (sent by user and db one) using private key

  Note: every time you encrypt the string using RSA with the same public key a new encrypted bytes generated, so I can not compare encrypted passwords and I have to decrypt them to compare

PS The answers say "For authentication purposes you should avoid storing the passwords using reversible encryption"

I am asking if no one can decrypt the password except if he has the private key, so what is the problem, even the hashing is not reversible but it is broken!!

Answer 1

It's not common practice to store passwords encrypted instead of hashed. Do you have any particular reason to do so?

If no, I would suggest to store the passwords hashed (SHA-2 or something like that) with a salt.

Answer 2

I think there are two issues that need attention:

• How are the passwords transmitted securely?
• How should the passwords be stored securely?

Existing password based key agreements such as SRP address both problems.

Your solution to encrypt passwords with RSA is not bad idea but is a partial solution only: Since RSA randomizes the encryption, it prevents offline dictionary attacks. From your description it is unclear if your proposal prevents replay attacks. Can an attacker login by sending a previously intercepted encrypted password or do you have a countermeasure such as time-stamps?