一些反馈我的密码哈希算法php mysql corona sdk

My site is not in production yet and I wanted some advice on password hashing before I go live and it's hard to change things. In general my site is hosted on EC2 and will use Amazon RDS. I'll have security setup so the only way to access the database is if you're connected to the EC2 machine. My site is not going to store any really sensitive financial data but it will certainly store email address and password and there is a high likelihood I will allow paypal transactions so the user's email address will often also happen to be a paypal address.

Part of the reason I used the hashing algorithm I did was because I am building an app using Corona SDK. I was planning to use similar hashing functions on the client and server. E.g., I could hash the password on the client and then send the hashed password over ssl to the server. As a side note, I will never store the user's password ( hashed or not ) on the client.

General questions

  • If I am allowing users to login through a mobile app, is it better to hash the data and then send it over SSL or is it better to take exactly what users entered and send it over SSL. My concern is whether exposing my hashing algorithms on the client is a really bad idea. Might be better to trust that SSL is secure and send data raw instead.
  • Do you have any suggestions for improving the methods I am using to hash and store data. More details below.

So the general idea is that when a user registers, I create a unique userkey for each user. This key is stored in the db. The email address is encrypted using this key and the password is hashed using the same key.

$key = mcrypt_create_iv(16, MCRYPT_DEV_URANDOM);

the password hash is created using the following function.

function hash_string($data,$key) {
    $hash = hash_hmac('md5', $data, $key);
    for ($i = 1; $i <= 100; $i++) {
        $data = $hash . $data . $key;
        $hash = hash_hmac('md5', $data, $key);
    }   
    $hash = base64_encode($hash);
    return $hash;
}

the email address is encrypted using the following function

function encrypt_text($key,$string)
{
    $iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB);
    $iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);  
    $encrypttext = base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $string, MCRYPT_MODE_ECB, $iv));
    return $encrypttext;
}

I found these functions in various places and I don't know much about security so just wanted some feedback.

You store the key you used for the encryption in the same database as the encrypted information? Then it makes no sense then once someone has access to your database the information as well as the key (henceforth the encryption itself) is useless. Spare the trouble.

For the password hashing there are lots of discussions about this out, also good answers on SO, you should probably move away from MD5 and use a better salt.