Encrypt data in Firebase Cloud Functions

[sadman rizwan]

I am developing a web app using Firebase, in which teachers can create an assignment and student can submit files in that assignment. I want to implement a password feature where the teacher will be able to set a password while creating assignment and students only who know the password will be able to submit.

I have thought of implementing this feature in the following way:

When teacher will set the password, I will send the password to a Firebase cloud function which will encrypt the password and store it in the Firebase real-time database using Firebase Admin SDK. When students will submit the password, the password will be sent to a cloud function which will decrypt the actual encrypted password (which is stored in the real-time database), match it with the password sent from the client and send a response to the client containing a message which will tell the user if the password is matched or not.

I have four questions.

1. Will this way (described above) be secure enough?
   
2. If this way is secure, then how should I encrypt the password? Is there any library function to encrypt data in Firebase cloud functions? Or should I use my own encryption algorithm?
   
3. Is storing the encrypted password in Firebase real-time database secured? If not, then where should I store it?
   
4. If this way is not secured, then how can I implement the feature described above?
   

[Daniel Matějka]

Hi there,

I suggest using password hashing (SHA512 or any similar algorithm will do) instead of encrypting/decrypting as in case of some kind attack it will be much harder to break it. Also deny all access in realtime rules (or only to the section containing passwords). Otherwise it looks fine to me.

[sadman rizwan]

Is there any built-in way for password hashing in cloud function? Or I have to do it manually?

On Fri, May 18, 2018 at 9:07 PM, Daniel Matějka <dmins...@gmail.com> wrote:

Hi there,

I suggest using password hashing (SHA512 or any similar algorithm will do) instead of encrypting/decrypting as in case of some kind attack it will be much harder to break it. Also deny all access in realtime rules (or only to the section containing passwords). Otherwise it looks fine to me.

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-talk+unsubscribe@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/e12f595e-2aef-420f-8db8-aefcabc8987f%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Daniel Matějka]

Take a look at NodeJS documentation specifically at Crypto section (https://nodejs.org/api/crypto.html). On the first look it should be doable easily with something like this:

const hash = crypto.createHash("sha512").update("password1234" + "_SALT").digest('hex');

Didn't test it, so tinker with the code. The random string "_SALT" part is not required, it's another security measurement "just in case" to randomize the hash more. If you decide to use some salt, don't change it or otherwise the hash won't be the same!

And save the hash to the database. Next time you generate the hash same way and compare it to saved password.

PS: You should prefer to use some reliable external libraries for algorithms that are not implemented in Node JS as writing your own (ex. hashing) algorithm can be time consuming and you can possibly introduce security issues.

Dne sobota 19. května 2018 16:20:45 UTC+2 sadman rizwan napsal(a):

Is there any built-in way for password hashing in cloud function? Or I have to do it manually?

On Fri, May 18, 2018 at 9:07 PM, Daniel Matějka <dmins...@gmail.com> wrote:

Hi there,

I suggest using password hashing (SHA512 or any similar algorithm will do) instead of encrypting/decrypting as in case of some kind attack it will be much harder to break it. Also deny all access in realtime rules (or only to the section containing passwords). Otherwise it looks fine to me.

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.

To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.

To post to this group, send email to fireba...@googlegroups.com.

[Joe White]

Why not use Firebase Authentication for the students ... the teach can use database rules to determine who can access the database.

[sadman rizwan]

I want to implement three types of privacy: Friends, Public and Password protected.

First and second one can be done using database rules. But the third one needs a password authentication system.

The problem is Firebase authentication can be used only for signing in users, not for other tasks.

This message (and any associated files) may contain VelociKey confidential and/or privileged information. If you are not the intended recipient or authorized to receive this for the intended recipient, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by sending a reply e-mail and delete this message. Thank you for your cooperation.

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.

To unsubscribe from this group and stop receiving emails from it, send an email to firebase-talk+unsubscribe@googlegroups.com.

To post to this group, send email to fireba...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/f95497fc-b8bf-48f4-84b3-139b57addadf%40googlegroups.com.

[Kato Richardson]

I'm not really sure what you mean by password protected, but fairly sure that security rules + auth can make that work as well.

☼, Kato

On Sat, May 19, 2018 at 12:51 PM sadman rizwan <sadman...@gmail.com> wrote:

I want to implement three types of privacy: Friends, Public and Password protected.

First and second one can be done using database rules. But the third one needs a password authentication system.

The problem is Firebase authentication can be used only for signing in users, not for other tasks.

On Sat, May 19, 2018 at 11:35 PM, Joe White <jos...@velocikey.com> wrote:

Why not use Firebase Authentication for the students ... the teach can use database rules to determine who can access the database.

On Saturday, May 12, 2018 at 12:39:29 AM UTC-4, sadman rizwan wrote:

I am developing a web app using Firebase, in which teachers can create an assignment and student can submit files in that assignment. I want to implement a password feature where the teacher will be able to set a password while creating assignment and students only who know the password will be able to submit.

I have thought of implementing this feature in the following way:

When teacher will set the password, I will send the password to a Firebase cloud function which will encrypt the password and store it in the Firebase real-time database using Firebase Admin SDK. When students will submit the password, the password will be sent to a cloud function which will decrypt the actual encrypted password (which is stored in the real-time database), match it with the password sent from the client and send a response to the client containing a message which will tell the user if the password is matched or not.

I have four questions.

1. Will this way (described above) be secure enough?
   
2. If this way is secure, then how should I encrypt the password? Is there any library function to encrypt data in Firebase cloud functions? Or should I use my own encryption algorithm?
   
3. Is storing the encrypted password in Firebase real-time database secured? If not, then where should I store it?
   
4. If this way is not secured, then how can I implement the feature described above?
   

This message (and any associated files) may contain VelociKey confidential and/or privileged information. If you are not the intended recipient or authorized to receive this for the intended recipient, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by sending a reply e-mail and delete this message. Thank you for your cooperation.

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.

To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.

To post to this group, send email to fireba...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/f95497fc-b8bf-48f4-84b3-139b57addadf%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.

To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.

To post to this group, send email to fireba...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/CAA8TW64e4HbeP_vBUBnb%2BKjUm_ey1NO9Ps6j%2Bh0KLE3Jb0xgdA%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.

--

Kato Richardson |

Developer Programs Eng |

kato...@google.com |

775-235-8398

[Joe White]

The password authentication system means you can see if the user is signed in (and who that user is) .. so you can use that for access

On Saturday, May 19, 2018 at 3:51:19 PM UTC-4, sadman rizwan wrote:

I want to implement three types of privacy: Friends, Public and Password protected.

First and second one can be done using database rules. But the third one needs a password authentication system.

The problem is Firebase authentication can be used only for signing in users, not for other tasks.

On Sat, May 19, 2018 at 11:35 PM, Joe White <jos...@velocikey.com> wrote:

Why not use Firebase Authentication for the students ... the teach can use database rules to determine who can access the database.

On Saturday, May 12, 2018 at 12:39:29 AM UTC-4, sadman rizwan wrote:

I am developing a web app using Firebase, in which teachers can create an assignment and student can submit files in that assignment. I want to implement a password feature where the teacher will be able to set a password while creating assignment and students only who know the password will be able to submit.

I have thought of implementing this feature in the following way:

When teacher will set the password, I will send the password to a Firebase cloud function which will encrypt the password and store it in the Firebase real-time database using Firebase Admin SDK. When students will submit the password, the password will be sent to a cloud function which will decrypt the actual encrypted password (which is stored in the real-time database), match it with the password sent from the client and send a response to the client containing a message which will tell the user if the password is matched or not.

I have four questions.

1. Will this way (described above) be secure enough?
   
2. If this way is secure, then how should I encrypt the password? Is there any library function to encrypt data in Firebase cloud functions? Or should I use my own encryption algorithm?
   
3. Is storing the encrypted password in Firebase real-time database secured? If not, then where should I store it?
   
4. If this way is not secured, then how can I implement the feature described above?
   

This message (and any associated files) may contain VelociKey confidential and/or privileged information. If you are not the intended recipient or authorized to receive this for the intended recipient, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by sending a reply e-mail and delete this message. Thank you for your cooperation.

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.

To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.

To post to this group, send email to fireba...@googlegroups.com.

[Kato Richardson]

Should be able to use presence management to determine if user is signed in. Should take into consideration expiration of credentials, which you'd have to manually handle here I think.

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/5c2d45da-d365-4fdb-9814-0e42511ef9e1%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.