Advertisement:

Author Topic: smf, password, java, special signs  (Read 6012 times)

Offline Bacsu

  • Newbie
  • *
  • Posts: 6
smf, password, java, special signs
« on: July 16, 2009, 07:07:02 AM »
Hello there,

I've another question to the crypted passwords at the DB. I'm trying to let a Java browsergame use the forumDB. This works fine as long the user has no special signs like " !|" at his username or pw. The SHA-1 hash generated by smf getting completly different to than crypted by Java or manual insert with phpmyadmin at the DB. What's smf doing with special signs if a hash getting generated? Is there any way to fix it at Java?

Offline N3RVE

  • SMF Friend
  • SMF Hero
  • *
  • Posts: 8,906
  • Gender: Male
    • N3RVE.COM
Re: smf, password, java, special signs
« Reply #1 on: July 16, 2009, 08:22:29 AM »
Moving this to a more appropriate section.

-[n3rve]
Ralph "[n3rve]" Otowo
Marketing Co-ordinator, Simple Machines.
ralph [at] simplemachines [dot] org                       
Quote
“Somewhere, something incredible is waiting to be known.” - Carl Sagan

Offline Bacsu

  • Newbie
  • *
  • Posts: 6
Re: smf, password, java, special signs
« Reply #2 on: July 16, 2009, 09:46:52 AM »
thx alot

Offline H

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 21,656
  • Gender: Male
Re: smf, password, java, special signs
« Reply #3 on: July 18, 2009, 06:23:24 PM »
Have you looked at the php code SMF uses for the password?

sha1(strtolower($username) . $password)

As you can see, I don't think anything special is done there unless the core php functions themselves are doing something. People have asked about java here before, so a search may bring up a working java 'hash checker'
-H
Former Support Team Lead
                              I recommend:
Namecheap (domains)
Fastmail (e-mail)
Linode (VPS)
                             

Offline Bacsu

  • Newbie
  • *
  • Posts: 6
Re: smf, password, java, special signs
« Reply #4 on: July 21, 2009, 05:04:17 AM »
Yep. I made strtolower id+password. Users who has no numbers or special signs can log in. Users with special signs can't log in.

Offline H

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 21,656
  • Gender: Male
Re: smf, password, java, special signs
« Reply #5 on: July 23, 2009, 03:39:52 PM »
Did you have a look at just generating hashes in php (without SMF) and the function above? That should show you if it is something php is doing or if SMF is doing something with the password somewhere
-H
Former Support Team Lead
                              I recommend:
Namecheap (domains)
Fastmail (e-mail)
Linode (VPS)
                             

Offline Bacsu

  • Newbie
  • *
  • Posts: 6
Re: smf, password, java, special signs
« Reply #6 on: July 24, 2009, 02:08:06 PM »
yep. Did it. Its the same hash. Finaly i found where smf is checking for the password and i didn't know its checking on this much ways. smf isn't only checking for pure sha-1 or salted sha-1. It's also checking for md5, cryt function, md5(md5) aso aso aso. This can getting be interesting to integrate this to java.

Offline H

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 21,656
  • Gender: Male
Re: smf, password, java, special signs
« Reply #7 on: July 24, 2009, 03:33:44 PM »
SMF doesn't use md5/md5 salt/pure sha1/crypt. These are just intended to support people who have converted to SMF from another forum software. Anyone using these old hash methods will be prompted to update their password after they login for the first time
-H
Former Support Team Lead
                              I recommend:
Namecheap (domains)
Fastmail (e-mail)
Linode (VPS)
                             

Offline Bacsu

  • Newbie
  • *
  • Posts: 6
Re: smf, password, java, special signs
« Reply #8 on: July 25, 2009, 04:42:48 AM »
This is kinda strange then.

Offline H

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 21,656
  • Gender: Male
Re: smf, password, java, special signs
« Reply #9 on: July 25, 2009, 09:15:07 AM »
So if the sha1 hash with username & password in 'pure php' is generating the same hash as SMF that must mean something is different in java. I did a search for sha1 php java and some topics did appear on differences between the two
-H
Former Support Team Lead
                              I recommend:
Namecheap (domains)
Fastmail (e-mail)
Linode (VPS)
                             

Offline Bacsu

  • Newbie
  • *
  • Posts: 6
Re: smf, password, java, special signs
« Reply #10 on: July 25, 2009, 09:38:21 AM »
eh my bad. sah-1 at java, pure php(without smf) and coded by sql database is the same. Only the hash of smf is different.

Offline H

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 21,656
  • Gender: Male
Re: smf, password, java, special signs
« Reply #11 on: July 25, 2009, 09:54:43 AM »
Are you definitely putting the username into lowercase in the same way as SMF?
Have you checked the values of username and password that SMF has before hashing them? Perhaps something in the password is being escaped resulting in a different hash
-H
Former Support Team Lead
                              I recommend:
Namecheap (domains)
Fastmail (e-mail)
Linode (VPS)
                             

Offline 青山 素子

  • Server Team
  • SMF Super Hero
  • *
  • Posts: 16,538
  • 戦場ヶ原、蕩れ!
    • motokochan on GitHub
    • @motokochan on Twitter
    • Animeneko Network
Re: smf, password, java, special signs
« Reply #12 on: July 27, 2009, 01:36:49 AM »
Is this a 64-bit environment?
Motoko-chan
Director, Simple Machines

Just like... making of enemies / 負ける気しない やめるきない / You are cool but fool - Charisma.com 『HATE』

Note: I am not a member of the Simple Machines Forum project.


Offline wora_hr

  • Newbie
  • *
  • Posts: 2
Re: smf, password, java, special signs
« Reply #13 on: February 19, 2012, 08:36:44 AM »
It might be little old post, but I have same problems with hash difference in java and php before some time .. here is the solution and explanation.

The thing is for example to use the same algorithm:

@PHP
hash_hmac('sha256', utf8_encode("somesecret"), utf8_encode( trim($another)),false);
... not so important but get you a point to >>> hmac and sha256



And than in java note:

Mac mac = Mac.getInstance("HmacSha256");
String key = "someKeyToEncode";
         String phrase = "secretPhraseSalt";
         SecretKeySpec secret = new SecretKeySpec(key.getBytes(),
               "HmacSha256");
         mac.init(secret);
         byte[] shaDigest = mac.doFinal(phrase.getBytes());
         String hash = "";
         for (byte b : shaDigest) {
            hash += String.format("%02x", b);
         }
//you can compare that now.. as something like...

if(hash.equalsIgnoreCase(confirmationKeyFromPHP)){return true;}

And here is your hash ready for compare. Logic is from some my auth check, since I communicate some approval by sending hashes from PHP to Java, and back. But to be able to compare these hashes generated on java or Php they must use the same SHA alg. HMACSHA_xxx




I do not know to much of php, but I researched difference in default sha alg. used. ;)


By the way: this verification thing is annoying. I allready loged in.. Should I proove that I am an human on every post change??? Sorry but this is not good UE.
« Last Edit: February 19, 2012, 08:39:56 AM by wora_hr »

Offline Aleksi "Lex" Kilpinen

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 15,430
  • Gender: Male
  • The Artist Formerly Known as LexArma
Re: smf, password, java, special signs
« Reply #14 on: March 06, 2012, 06:09:41 AM »
Marking this topic solved, as it is years old and the original discussion has died.
Finnish Support Local Moderator & Support Specialist
My Mods: Facebook and Twitter Sharer