473,722 Members | 2,287 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Securing hashing algorithm

Hello all!

We are building applications here and have hashing algorithms to secure
secrets (e.g passwords) by producing one way hashes. Now, I've read alot
and I've followed most of the advice that made sense. One comment I've seen
alot about is "securing the hashing routine" but no-one explains how to
accomplish this. So how do I secure my hashing routine? Do I use code
access security, role based security, ACLs, etc or combination? And if
combination what combination is the best? The routines will be used by two
"applicatio ns." A ASP.NET and a Windows application. It already has a
strong name and is installed in the GAC. How do I prevent it from being run
by any code besides our two applications? Should it be installed in the
GAC? And if not, how to I guarantee the two applications are using the same
version?

Thanks for your help,
Scott
Nov 16 '05 #1
11 3432

"Wm. Scott Miller" <Sc**********@s pam.killer.wvin surance.gov> wrote in
message news:OP******** ******@TK2MSFTN GP10.phx.gbl...
Hello all!

We are building applications here and have hashing algorithms to secure
secrets (e.g passwords) by producing one way hashes. Now, I've read alot
and I've followed most of the advice that made sense. One comment I've seen alot about is "securing the hashing routine" but no-one explains how to
accomplish this. So how do I secure my hashing routine?

Scott

Disregard that piece of advice "securing the hashing routine" - publish your
hashing routine for all to see, and then and only then can you be sure that
it is a *good* algorithm.

regards
roy
Nov 16 '05 #2
If you use microsoft's hashing algorithms, you dont have to worry about that.
It comes with the SDK.

"Wm. Scott Miller" wrote:
Hello all!

We are building applications here and have hashing algorithms to secure
secrets (e.g passwords) by producing one way hashes. Now, I've read alot
and I've followed most of the advice that made sense. One comment I've seen
alot about is "securing the hashing routine" but no-one explains how to
accomplish this. So how do I secure my hashing routine? Do I use code
access security, role based security, ACLs, etc or combination? And if
combination what combination is the best? The routines will be used by two
"applicatio ns." A ASP.NET and a Windows application. It already has a
strong name and is installed in the GAC. How do I prevent it from being run
by any code besides our two applications? Should it be installed in the
GAC? And if not, how to I guarantee the two applications are using the same
version?

Thanks for your help,
Scott

Nov 16 '05 #3
When using one way hashing like this, you always have one issue - securing
the password/key passed to the keyed hash. I assume your using a "keyed"
hash like HMACSHA1 or a keyed MD5 to hash your secret. Some options are:
1) string encrypted in your program using obfuscator (better then nothing,
but probably not great.)
2) Protected via ACLs in registry, file or smartcard (or others).
3) Use DPAPI to set and get your password in the OS. See
http://msdn.microsoft.com/library/de...l/secmod21.asp

Of the three, DPAPI is probably the best. It is still not perfect as a user
logged in using same user account as app used can decrypt the data. If you
use the machine store, any user could decrypt the data unless you use
additional entropy. So possible a slightly better approach may be to use
machine store so any user on local machine could use your program and keep
your "entropy" encrypted in your program (via obfuscator encryption.) So
not a hacker needs to hack your assembly to figure out general idea of what
your doing, somehow decrypt your entropy (i.e. second pw) and then figure
out how to get data from DPAPI and what store your used, etc. As you can
see, you could keep jumping through hoops hiding data until your blue and
still not get 100% protection.
Possibly a better approach is to use RSA private/public key and client only
knows public key. That way, you have nothing you need to hide. You still
need to protect your client apps public key so it can't be replaced by a
hackers public key, etc.

Naturally, none of this matters if your code is plain .net as hacker can use
ildasm and ilasm to round trip your code and do remove your protections and
public key removing the strong name checking at assembly load time. Only
thing that helps this is obfuscating using a good one (I use and like
XenoCode which also prevents ildasm on your assemblies). Getting to a point
where the only option for the hacker is to hack your code is probably the
best effort and should be the goal I would think.

--
William Stacey, MVP
http://mvp.support.microsoft.com

"Wm. Scott Miller" <Sc**********@s pam.killer.wvin surance.gov> wrote in
message news:OP******** ******@TK2MSFTN GP10.phx.gbl...
Hello all!

We are building applications here and have hashing algorithms to secure
secrets (e.g passwords) by producing one way hashes. Now, I've read alot
and I've followed most of the advice that made sense. One comment I've seen alot about is "securing the hashing routine" but no-one explains how to
accomplish this. So how do I secure my hashing routine? Do I use code
access security, role based security, ACLs, etc or combination? And if
combination what combination is the best? The routines will be used by two "applicatio ns." A ASP.NET and a Windows application. It already has a
strong name and is installed in the GAC. How do I prevent it from being run by any code besides our two applications? Should it be installed in the
GAC? And if not, how to I guarantee the two applications are using the same version?

Thanks for your help,
Scott


Nov 16 '05 #4
Roy:

We are using an already verified *good* algorithm but have added "spice and
salt" to the routine. This was done to make the routine "slow" enough to
make dictionary attacks a lengthy process.

Scott

"Roy Fine" <rl****@twt.obf uscate.net> wrote in message
news:Oh******** ******@TK2MSFTN GP15.phx.gbl...

"Wm. Scott Miller" <Sc**********@s pam.killer.wvin surance.gov> wrote in
message news:OP******** ******@TK2MSFTN GP10.phx.gbl...
Hello all!

We are building applications here and have hashing algorithms to secure
secrets (e.g passwords) by producing one way hashes. Now, I've read alot and I've followed most of the advice that made sense. One comment I've seen
alot about is "securing the hashing routine" but no-one explains how to
accomplish this. So how do I secure my hashing routine?

Scott

Disregard that piece of advice "securing the hashing routine" - publish

your hashing routine for all to see, and then and only then can you be sure that it is a *good* algorithm.

regards
roy

Nov 16 '05 #5
I've noticed by searching the groups that you are a strong supporter of the
"keyed" approach. So, what are the advantages and disadvantages of using
keyed vs non-keyed hashes?

Thanks,
Scott

"William Stacey [MVP]" <st***********@ mvps.org> wrote in message
news:%2******** ********@TK2MSF TNGP14.phx.gbl. ..
When using one way hashing like this, you always have one issue - securing
the password/key passed to the keyed hash. I assume your using a "keyed"
hash like HMACSHA1 or a keyed MD5 to hash your secret. Some options are:
1) string encrypted in your program using obfuscator (better then nothing,
but probably not great.)
2) Protected via ACLs in registry, file or smartcard (or others).
3) Use DPAPI to set and get your password in the OS. See
http://msdn.microsoft.com/library/de...l/secmod21.asp
Of the three, DPAPI is probably the best. It is still not perfect as a user logged in using same user account as app used can decrypt the data. If you use the machine store, any user could decrypt the data unless you use
additional entropy. So possible a slightly better approach may be to use
machine store so any user on local machine could use your program and keep
your "entropy" encrypted in your program (via obfuscator encryption.) So
not a hacker needs to hack your assembly to figure out general idea of what your doing, somehow decrypt your entropy (i.e. second pw) and then figure
out how to get data from DPAPI and what store your used, etc. As you can
see, you could keep jumping through hoops hiding data until your blue and
still not get 100% protection.
Possibly a better approach is to use RSA private/public key and client only knows public key. That way, you have nothing you need to hide. You still
need to protect your client apps public key so it can't be replaced by a
hackers public key, etc.

Naturally, none of this matters if your code is plain .net as hacker can use ildasm and ilasm to round trip your code and do remove your protections and public key removing the strong name checking at assembly load time. Only
thing that helps this is obfuscating using a good one (I use and like
XenoCode which also prevents ildasm on your assemblies). Getting to a point where the only option for the hacker is to hack your code is probably the
best effort and should be the goal I would think.

--
William Stacey, MVP
http://mvp.support.microsoft.com

"Wm. Scott Miller" <Sc**********@s pam.killer.wvin surance.gov> wrote in
message news:OP******** ******@TK2MSFTN GP10.phx.gbl...
Hello all!

We are building applications here and have hashing algorithms to secure
secrets (e.g passwords) by producing one way hashes. Now, I've read alot and I've followed most of the advice that made sense. One comment I've

seen
alot about is "securing the hashing routine" but no-one explains how to
accomplish this. So how do I secure my hashing routine? Do I use code
access security, role based security, ACLs, etc or combination? And if
combination what combination is the best? The routines will be used by

two
"applicatio ns." A ASP.NET and a Windows application. It already has a
strong name and is installed in the GAC. How do I prevent it from being

run
by any code besides our two applications? Should it be installed in the
GAC? And if not, how to I guarantee the two applications are using the

same
version?

Thanks for your help,
Scott

Nov 16 '05 #6
Well in my mind, when using non-keyed hash, you don't need a password to
create the same the hash using the same data. So anyone can look at your
code and figure out you are just using sha (for example) to create your hash
and do the same. Keyed hash gives you a level of security as you need to
know the "key" to gen the same hash. Its like needing to know the password.
Now you need to secure the "shared" password as both sides need to use the
same one. Unfortunately, this means you need to embed it in your code or in
a resource. So you could "hide" it in multple parts of your app and/or use
obfuscator crypto on the string or strings you will combine to create your
clear password. You could then use something like a combination of DPAPI
and the ISO store to store the encrypted key. So you need to be the user
who stored the key and the assembly (I think using ISO) to retreive the key.
The issue is still the first part - where to store the password so I can get
it, encrypt it, and store it? I keep coming back to string crypto using
obfuscator, but maybe there is a better way? Naturally, you may be able to
avoid the above by using PKI public key method. It would depend on what
your doing I guess. Anyway, hth.

From MS HMACSHA1 docs:
"...A keyed hash algorithm is a key-dependent, one-way hash function used as
a message authentication code. Only someone who knows the key can verify the
hash. Keyed hash algorithms provide authenticity without secrecy.

Hash functions are commonly used with digital signatures and for data
integrity. HMACSHA1 is an example of a keyed hash algorithm."
--
William Stacey, MVP
http://mvp.support.microsoft.com

"Wm. Scott Miller" <Sc**********@s pam.killer.wvin surance.gov> wrote in
message news:Om******** ******@TK2MSFTN GP11.phx.gbl...
I've noticed by searching the groups that you are a strong supporter of the "keyed" approach. So, what are the advantages and disadvantages of using
keyed vs non-keyed hashes?

Thanks,
Scott

"William Stacey [MVP]" <st***********@ mvps.org> wrote in message
news:%2******** ********@TK2MSF TNGP14.phx.gbl. ..
When using one way hashing like this, you always have one issue - securing
the password/key passed to the keyed hash. I assume your using a "keyed" hash like HMACSHA1 or a keyed MD5 to hash your secret. Some options are: 1) string encrypted in your program using obfuscator (better then nothing, but probably not great.)
2) Protected via ACLs in registry, file or smartcard (or others).
3) Use DPAPI to set and get your password in the OS. See

http://msdn.microsoft.com/library/de...l/secmod21.asp

Of the three, DPAPI is probably the best. It is still not perfect as a

user
logged in using same user account as app used can decrypt the data. If

you
use the machine store, any user could decrypt the data unless you use
additional entropy. So possible a slightly better approach may be to use machine store so any user on local machine could use your program and keep your "entropy" encrypted in your program (via obfuscator encryption.) So not a hacker needs to hack your assembly to figure out general idea of

what
your doing, somehow decrypt your entropy (i.e. second pw) and then figure out how to get data from DPAPI and what store your used, etc. As you can see, you could keep jumping through hoops hiding data until your blue and still not get 100% protection.
Possibly a better approach is to use RSA private/public key and client

only
knows public key. That way, you have nothing you need to hide. You still need to protect your client apps public key so it can't be replaced by a
hackers public key, etc.

Naturally, none of this matters if your code is plain .net as hacker can

use
ildasm and ilasm to round trip your code and do remove your protections

and
public key removing the strong name checking at assembly load time. Only thing that helps this is obfuscating using a good one (I use and like
XenoCode which also prevents ildasm on your assemblies). Getting to a

point
where the only option for the hacker is to hack your code is probably the best effort and should be the goal I would think.

--
William Stacey, MVP
http://mvp.support.microsoft.com

"Wm. Scott Miller" <Sc**********@s pam.killer.wvin surance.gov> wrote in
message news:OP******** ******@TK2MSFTN GP10.phx.gbl...
Hello all!

We are building applications here and have hashing algorithms to secure secrets (e.g passwords) by producing one way hashes. Now, I've read alot and I've followed most of the advice that made sense. One comment I've seen
alot about is "securing the hashing routine" but no-one explains how
to accomplish this. So how do I secure my hashing routine? Do I use code access security, role based security, ACLs, etc or combination? And if combination what combination is the best? The routines will be used by two
"applicatio ns." A ASP.NET and a Windows application. It already has
a strong name and is installed in the GAC. How do I prevent it from being run
by any code besides our two applications? Should it be installed in
the GAC? And if not, how to I guarantee the two applications are using

the same
version?

Thanks for your help,
Scott



Nov 16 '05 #7
Correct me if I'm wrong, but storing the password using DPAPI is a good idea
in theory and does make for an extra step for the hacker, but encypting
anything using DPAPI is meaningless in the case of a web server being
compromised on port 80 because the hacker will be running under the context
of the user account that the web server is running which has access to any
DPAPI encrypted values. Additionally, any hacker with their salt (sorry, no
pun intended), will know the DPAPI approach due to is popularity.

The DPAPI option only assists in the case where the server can be
compromised from another server/computer/service. This is where, when using
DPAPI with a user account, the "key" will be protected. If these are not
concerns because of other counter measures taken, then DPAPI is a waste of
time to implement, except for the "defense in depth" argument.

So ***if*** port 80 is the only attack vector, DPAPI provides very limited
additional protection because key or non-keyed routines are equally
compromised with a hacker really wanting to get in.

Is this right or am I missing something?

Scott

"William Stacey [MVP]" <st***********@ mvps.org> wrote in message
news:eZ******** ******@TK2MSFTN GP12.phx.gbl...
Well in my mind, when using non-keyed hash, you don't need a password to
create the same the hash using the same data. So anyone can look at your
code and figure out you are just using sha (for example) to create your hash and do the same. Keyed hash gives you a level of security as you need to
know the "key" to gen the same hash. Its like needing to know the password. Now you need to secure the "shared" password as both sides need to use the
same one. Unfortunately, this means you need to embed it in your code or in a resource. So you could "hide" it in multple parts of your app and/or use obfuscator crypto on the string or strings you will combine to create your
clear password. You could then use something like a combination of DPAPI
and the ISO store to store the encrypted key. So you need to be the user
who stored the key and the assembly (I think using ISO) to retreive the key. The issue is still the first part - where to store the password so I can get it, encrypt it, and store it? I keep coming back to string crypto using
obfuscator, but maybe there is a better way? Naturally, you may be able to avoid the above by using PKI public key method. It would depend on what
your doing I guess. Anyway, hth.

From MS HMACSHA1 docs:
"...A keyed hash algorithm is a key-dependent, one-way hash function used as a message authentication code. Only someone who knows the key can verify the hash. Keyed hash algorithms provide authenticity without secrecy.

Hash functions are commonly used with digital signatures and for data
integrity. HMACSHA1 is an example of a keyed hash algorithm."
--
William Stacey, MVP
http://mvp.support.microsoft.com

"Wm. Scott Miller" <Sc**********@s pam.killer.wvin surance.gov> wrote in
message news:Om******** ******@TK2MSFTN GP11.phx.gbl...
I've noticed by searching the groups that you are a strong supporter of the
"keyed" approach. So, what are the advantages and disadvantages of using
keyed vs non-keyed hashes?

Thanks,
Scott

"William Stacey [MVP]" <st***********@ mvps.org> wrote in message
news:%2******** ********@TK2MSF TNGP14.phx.gbl. ..
When using one way hashing like this, you always have one issue - securing the password/key passed to the keyed hash. I assume your using a "keyed" hash like HMACSHA1 or a keyed MD5 to hash your secret. Some options are: 1) string encrypted in your program using obfuscator (better then nothing, but probably not great.)
2) Protected via ACLs in registry, file or smartcard (or others).
3) Use DPAPI to set and get your password in the OS. See

http://msdn.microsoft.com/library/de...l/secmod21.asp

Of the three, DPAPI is probably the best. It is still not perfect as a user
logged in using same user account as app used can decrypt the data.
If
you
use the machine store, any user could decrypt the data unless you use
additional entropy. So possible a slightly better approach may be to use machine store so any user on local machine could use your program and keep your "entropy" encrypted in your program (via obfuscator encryption.) So not a hacker needs to hack your assembly to figure out general idea of

what
your doing, somehow decrypt your entropy (i.e. second pw) and then figure out how to get data from DPAPI and what store your used, etc. As you can see, you could keep jumping through hoops hiding data until your blue and still not get 100% protection.
Possibly a better approach is to use RSA private/public key and client

only
knows public key. That way, you have nothing you need to hide. You still need to protect your client apps public key so it can't be replaced by
a hackers public key, etc.

Naturally, none of this matters if your code is plain .net as hacker

can use
ildasm and ilasm to round trip your code and do remove your
protections and
public key removing the strong name checking at assembly load time.

Only thing that helps this is obfuscating using a good one (I use and like
XenoCode which also prevents ildasm on your assemblies). Getting to a

point
where the only option for the hacker is to hack your code is probably the best effort and should be the goal I would think.

--
William Stacey, MVP
http://mvp.support.microsoft.com

"Wm. Scott Miller" <Sc**********@s pam.killer.wvin surance.gov> wrote in
message news:OP******** ******@TK2MSFTN GP10.phx.gbl...
> Hello all!
>
> We are building applications here and have hashing algorithms to secure > secrets (e.g passwords) by producing one way hashes. Now, I've read

alot
> and I've followed most of the advice that made sense. One comment I've seen
> alot about is "securing the hashing routine" but no-one explains how to > accomplish this. So how do I secure my hashing routine? Do I use code > access security, role based security, ACLs, etc or combination? And if > combination what combination is the best? The routines will be used by two
> "applicatio ns." A ASP.NET and a Windows application. It already
has a > strong name and is installed in the GAC. How do I prevent it from being run
> by any code besides our two applications? Should it be installed in the > GAC? And if not, how to I guarantee the two applications are using the same
> version?
>
> Thanks for your help,
> Scott
>
>


Nov 16 '05 #8
> Correct me if I'm wrong, but storing the password using DPAPI is a good
idea
in theory and does make for an extra step for the hacker, but encypting
anything using DPAPI is meaningless in the case of a web server being
compromised on port 80 because the hacker will be running under the context of the user account that the web server is running which has access to any
DPAPI encrypted values. Additionally, any hacker with their salt (sorry, no pun intended), will know the DPAPI approach due to is popularity.


(Thinking out load. Please correct if wrong.) If that is the concern then
nothing you do would help. A hacker would need to somehow gain command
level access to your machine via port 80 to be able to exec os commands,
call APIs, etc - no? Is there such an existing attack in IIS/web services?
If there is, millions have bigger issues for a start. So for rest of talk,
lets assume that is not possble (as if it were, we would just unplug our
boxes and wait for a fix or take our chances.) Not sure if it matters if
dpapi is popular or not. It was introduced in NT 4.0 I think but did not
work in somel cases from what I read. W2K and latter was when people really
started using it so not sure it is that popular yet. However it still needs
to standup to popular use, else it is not worth anything as you say.

I could keep spinning here, but still not exactly what your trying to do.
Could you outline (from client to server and back) what your trying to do
exactly and what techs you want to use? Example:
1) Windows client gets password and hashes via xyz using shared secret, etc.
2) Client calls IIS web service for xyz.
3) Web server does xyz and returns xyz to client.
4) ...
Using only IIS web services at server? What about WSE and security? What
about SecureXML? Using web services at Windows client? Some more detail
would help drive further talk. Thanks for interesting discussion.

--
William Stacey, MVP
http://mvp.support.microsoft.com
Nov 16 '05 #9
As for the existance of such a vunerability, I would have to say yes
considering that most of the security sites I read say stuff like "complete
compromise of the server" next to IIS. That to me sounds like being able to
get access to os commands. That is of course for a vunerability that has a
patch, but as we have seen in the past several months/years more and more
vunerabilities are being discovered in almost all software on production
systems worldwide. (Most companies are starting to think of
security....Mic rosoft being the biggest company to finally jump on board)
With that in mind, there is the **possibility** that such a vunerability
still exists and has not been discovered/patched yet. As long as we patch
our systems and keep them up-to-date, the probability of such an attack
becomes more remote, but not altogether impossible.

The original question, was on the line of the "prudent man rule" and was a
query about securing the actual DLL that contains the code of the routine.
On those lines, is that something I should worry about? And, if so, what
should I look into, research, do to accomplish the most secure environment
in the least amount of time. In my reaserch into web site security, they
say that the more elements that are available to the cracker, the more
likely they are to be able to obtain the information you are securing. So,
I'd like to make it as hard as possible to obtain:

1. Actual hashes stored in my system
2. Algorithm I use to generate hashes
3. Their own hashes for dictionary attacks

Number 2 was the issue of the original question as I have a pretty good (I
think) plan for #1 and #3 because of my research. Your point on using a
"keyed hash" interested me because it holds the possibility of increasing
the security of the hashes, which is why I wanted to know more. But all new
things have to be held up against the questions "What does this buy me?" and
"Is it worth the time and money to implement?" That is maybe why I came
across a so dead set against "keyed hashes" but I was just looking into the
first question. I'm still interested in the keyed approach, I'm not sure if
it buys me any more security, though, because in all my research, you are
the first place I've heard to use them (which doesn't mean much as I haven't
real every security article on the web).

So maybe we can approach it this way:

What will keyed hashes buy me in terms of security?

AND

How long will it take to implement and is it worth that much time and money
based on the answer to question #1?

Scott

"William Stacey [MVP]" <st***********@ mvps.org> wrote in message
news:uh******** ******@TK2MSFTN GP10.phx.gbl...
Correct me if I'm wrong, but storing the password using DPAPI is a good idea
in theory and does make for an extra step for the hacker, but encypting
anything using DPAPI is meaningless in the case of a web server being
compromised on port 80 because the hacker will be running under the

context
of the user account that the web server is running which has access to any DPAPI encrypted values. Additionally, any hacker with their salt

(sorry, no
pun intended), will know the DPAPI approach due to is popularity.
(Thinking out load. Please correct if wrong.) If that is the concern

then nothing you do would help. A hacker would need to somehow gain command
level access to your machine via port 80 to be able to exec os commands,
call APIs, etc - no? Is there such an existing attack in IIS/web services? If there is, millions have bigger issues for a start. So for rest of talk, lets assume that is not possble (as if it were, we would just unplug our
boxes and wait for a fix or take our chances.) Not sure if it matters if
dpapi is popular or not. It was introduced in NT 4.0 I think but did not
work in somel cases from what I read. W2K and latter was when people really started using it so not sure it is that popular yet. However it still needs to standup to popular use, else it is not worth anything as you say.

I could keep spinning here, but still not exactly what your trying to do.
Could you outline (from client to server and back) what your trying to do
exactly and what techs you want to use? Example:
1) Windows client gets password and hashes via xyz using shared secret, etc. 2) Client calls IIS web service for xyz.
3) Web server does xyz and returns xyz to client.
4) ...
Using only IIS web services at server? What about WSE and security? What
about SecureXML? Using web services at Windows client? Some more detail
would help drive further talk. Thanks for interesting discussion.

--
William Stacey, MVP
http://mvp.support.microsoft.com

Nov 16 '05 #10

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

0
1613
by: Michael Pernkopf | last post by:
Hy NG, i´m looking for an object-oriented method (or programmed example) for an algorithm to treat an extendible hashing table. Does anyone know a ressource, where i can find information about implementing such an algorithm, or maybe a finished example? greetings, Michael
3
6500
by: MuZZy | last post by:
Hi, Is there any guarantee that MD5 hashing algorithm implementation will not change in the next .NET version unlike what's happened to String.GetHashcode? Thank you, MuZZy
9
2113
by: Harold Crump | last post by:
Greetings, I have a fairly vanilla PHP web application that stores and retrieves data in a MySQL database. Users will be adding a lot of special characters such as single and double quotes, accented French characters, etc. I want to eliminate any potential for XSS or SQL injection attacks. My question - is it enough to pass all user input through the
8
4574
by: Maya | last post by:
Hello all, I'm using MD5 hashing in my application to give unique values to huge list of items my application receives, originally every item's name was difficult to use as an id for this item although its unique but because it had certain characters and variable lengths I ended up using MD5 hashing of the name.
4
3400
by: wkatz | last post by:
Hi, Gurus. What hashing algorithm outputs hash value as numbers only? For example, if you pass a “John Q. Public” it will output 23324. If there is no such hashing, how hard is it to hire somebody to write a fairly quick one? It could be some fast hashing and then another function that creates numbers. Much obliged. wkatz.
5
2150
by: Andrew Robinson | last post by:
I am working on a pretty simple e-commerce web site that will sell our company gift cards online. Our company and merchant policy prohibits us from storing credit card numbers in any way once we clear the transaction using Pay Flow. To help protect against fraud, I would like to know when the same card number is used to make more than one purchase in a given period of time. Would hashing card numbers and then storing and comparing hashes...
1
1690
by: zoro | last post by:
separate chaining and linear probing are two implementation in hashing that we use to reduce collisions. i know that linear probing is the fastest in general than other implemenataions. but what i'm confused a bout is when the collisions are frequent,which of these implementations will allow fastest searches?
11
2154
by: January Weiner | last post by:
Hello, I need to use a hashing function for relatively short strings (roughly 16 characters or less). The data that needs to be accessed via hash is just a simple int. I just need to look up values in two dimensional matrices each time that I encounter a pair of these strings. I would like to keep the code as simple and standard as possible, but at the same time to have a reasonable performance.
10
409
by: Les Desser | last post by:
In article <fcebdacd-2bd8-4d07-93a8-8b69d3452f3e@s50g2000hsb.googlegroups.com>, The Frog <Mr.Frog.to.you@googlemail.comMon, 14 Apr 2008 00:45:10 writes Thank you for that. It was very clear and I actually understand it!
0
8739
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
0
9382
Oralloy
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
0
9236
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
0
9087
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
0
8043
agi2029
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...
1
6681
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
0
5995
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
0
4762
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
2
2601
muto222
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.