News:

Want to get involved in developing SMF, then why not lend a hand on our github!

Main Menu

How password is encrypted?

Started by thewiper, January 05, 2005, 02:50:58 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

thewiper

January 05, 2005, 02:50:58 PM
Hello to everyone!

I'm upgrating my personal web-site, written in ASP, with an easy registration module and i would like to automatically register users in SMF when users got registered in my portal.

Observing MySql structures of SMF i've found the table prefix_members where username and password are located to. How can i codify the password from plain versione (example: 'dog') to encrypt-version?

Thanks...

PS: I'm not using a common CMS or similar, so I've to ask directly to you!  ;D F
the link of my portal is this http://www.thewiper.com/cellula [nofollow]

Thantos

#1
January 05, 2005, 03:23:06 PM
Download http://www.simplemachines.org/download.php/smf_api.php and include it in your php file.  Then call smf_md5_hmac with the first parameter being the password and the second parameter being the username.

thewiper

#2
January 05, 2005, 05:09:10 PM Last Edit: January 05, 2005, 05:47:21 PM by thewiper
Thanks Mike. I've already seen the PHP api. The problem is that I'm developing my own CMS written in ASP so PHP, for me, is useless... I'm tryining to get the procedure to compute MD5 signature but each script I try returns differents values...

Bye ;D

edit:
For example, using the word 'dog' results coded in:

smf
e3132146aa50c136c2dd1ff1bbb949fa

Other scripts example: http://www.cs.eku.edu/faculty/styer/460/Encrypt/JS-MD5.html [nofollow]
06d80eb0c50b49a509b49f2424e8c805

[Unknown]

#3
January 05, 2005, 05:21:35 PM
Ugly language, that ASP.  Sorry...

http://www.experts-exchange.com/Web/Web_Languages/ASP/Q_20906091.html

ASP.NET: (still ugly, but much better :P.)
http://www.mentalis.org/soft/projects/crypto/
http://ncrypto.sourceforge.net/

And so on.

-[Unknown]

thewiper

#4
January 05, 2005, 05:44:51 PM Last Edit: January 05, 2005, 06:42:30 PM by thewiper
Last thing (thanks for your help!)

The PHP md5-hashing is "standard"? There's no problem to get script that compute signature of a word in ASP (i've already found something!), but seems that signatures are far different! Look the example of dog in my previous post...

Edit:
Quote$md5_passwrd = md5_hmac($_REQUEST['passwrd'], strtolower($user_settings['memberName']));

Quotefunction md5_hmac($data, $key)
{
$key = str_pad(strlen($key) <= 64 ? $key : pack('H*', md5($key)), 64, chr(0x00));
return md5(($key ^ str_repeat(chr(0x5c), 64)) . pack('H*', md5(($key ^ str_repeat(chr(0x36), 64)). $data)));
}

... interesting! I really don't understand a word of PHP  >:( but i can figure out that the hash is computer combining username and password... but how? Let me investigate  ;D

OK: I got it. This is not a elegant solutions but it would helps me. I call an easy PHP script contains the necessay code to "do the job".  For example i call, from register.asp, a script called register_forum.php?Username=john&password=doe, that has inside cut and paste of previous script  :D, then everything goes into MySql database, both username and password hashed!

[Unknown]

#5
January 05, 2005, 06:38:31 PM
MD5 HMAC is keyed (salted) MD5.  Using plain MD5 will not work.

-[Unknown]

ebsq

#6
January 08, 2005, 08:21:59 AM
I'm trying to do very much the same thing - integrate SMF into an existing ASP application.

I'd like to disable registration and some of the profile (change password) fields in SMF... not to mention automatically log a user in.

The hassle of multiple logins is obvious.

My first thought was to try to write an ASP version of the smf_api.php file...  but I have the same problem with php as I did with perl - for as simple as it is said to be - it is very much a foreign language to me.  (and if I can take two seconds to defend vb/asp - I seriously think it gets a bad rep because it is so damn simple to read and program - so simple that a lot of idiots are out there writing ugly code with it.  Really, vb reads like pseudo code...)

So... is it realistic to think an ASP version of the smf api could be written (not by Simple Machines - i.e. by me, assuming I am a semi-capable programmer)?

thewiper - can you let me know if your solution worked out?

thanks

bill

[Unknown]

#7
January 08, 2005, 03:31:48 PM
Quote from: ebsq on January 08, 2005, 08:21:59 AM
(and if I can take two seconds to defend vb/asp - I seriously think it gets a bad rep because it is so damn simple to read and program - so simple that a lot of idiots are out there writing ugly code with it.  Really, vb reads like pseudo code...)

Nope, sorry, I started with QuickBASIC.  Visual Basic gets a bad rap because it is ugly.  And I program in ASP.NET nearly every day (for pay) and I still don't consider it a wonderous language.

I can give you a ASP.NET/C# version of most of the things in that file, given a bit of time, but you're using ASP.  I posted a link to something that uses roughly the same hashing (MD5 HMAC), so all you have to do is get the Connector/ODBC from MySQL's website (note, of course, that the extra layer of ODBC will make it slower.)

-[Unknown]

ebsq

#8
January 08, 2005, 05:40:00 PM
I haven't thought this through well enough, but wouldn't the api be more useful if it acted as a web service of sorts?  I guess the smf_api.php file could stay intact - and a web services module be written around it (in php).

I'm probably missing the point somewhere - but it doesn't jump out at me that this couldn't be done with a little effort.

bill

OvermindDL1

#9
January 09, 2005, 03:16:34 AM
Quote from: [Unknown] on January 08, 2005, 03:31:48 PM
Quote from: ebsq on January 08, 2005, 08:21:59 AM
(and if I can take two seconds to defend vb/asp - I seriously think it gets a bad rep because it is so damn simple to read and program - so simple that a lot of idiots are out there writing ugly code with it.  Really, vb reads like pseudo code...)

Nope, sorry, I started with QuickBASIC.  Visual Basic gets a bad rap because it is ugly.  And I program in ASP.NET nearly every day (for pay) and I still don't consider it a wonderous language.

I can give you a ASP.NET/C# version of most of the things in that file, given a bit of time, but you're using ASP.  I posted a link to something that uses roughly the same hashing (MD5 HMAC), so all you have to do is get the Connector/ODBC from MySQL's website (note, of course, that the extra layer of ODBC will make it slower.)

-[Unknown]
Slightly OT, Same here, started with BASICA (just before QBasic), and I have well mastered QBasic, know VB well, and had to prorgam in ASP.NET for work.  Truly hate them, the code just looks so formless and (for lack of a better term) ugly.   I've been with C++ and php for many years and will remain so for quite some time to come.  Java I'd use on the web only, I still say it sucks to make real apps out of, it was not designed for that, it's not as portable as they want it to be.

thewiper

#10
January 13, 2005, 05:48:37 PM Last Edit: January 13, 2005, 05:52:39 PM by thewiper
ebsq, solution is working fine.. .But I cannot define it a "solution" because if my portal have been written in asp, this is a "dirty patch".

Believe this is the first time i use PHP, i come from c64 basic, qbasic, asic, vbasic and asp, and i've noticed that php seems more elegant than these others languages. Asp is so slow and very complex to use with db with php just two commands and you're intereacting with MySql (native mode!!!), no odbc, no set up, no drivers,nothing! (and no request.querystring!)

However i'll expain the "dirty patch" i've used maybe it could be interesting to other users.

From a ASP script that accepts username and password i simply redirect to another PHP script with response.redirect?username=var&password=var&email=var

The script is this

Code Select

<%php
$username = str_replace("'", "", $username);
$password = str_replace("'","",$password);
$email = str_replace("'","",$email);

/*
Other security check here...
Like referer check
*/

$passwd = md5_hmac($password,$username);

$server = "xx.xxx.xxx.xx"; // server to connect to.
$database = "xxxx"; // the name of the database.
$db_user = "xxxx"; // mysql username to access the database with.
$db_pass = "xxx"; // mysql password to access the database with.
$table = "smf_members";

$link = mysql_connect($server, $db_user, $db_pass)
or die ("Non è stato possibile connettersi al database del forum per il seguente errore: ".mysql_error());

mysql_select_db($database)
or die ("Non è stato possibile selezionare il database a causa del seguente errore ".mysql_error());

$insert = mysql_query("insert into $table (memberName, passwd, emailAddress) VALUES ('$username', '$passwd', '$email')", $link)
or die("Non ho potuto inserire i dati a causa dell'errore. ".mysql_error());

echo("Tutto ok!");

function md5_hmac($data, $key)
{
$key = str_pad(strlen($key) <= 64 ? $key : pack('H*', md5($key)), 64, chr(0x00));
return md5(($key ^ str_repeat(chr(0x5c), 64)) . pack('H*', md5(($key ^ str_repeat(chr(0x36), 64)). $data)));
}

%>


Works...but... I donno if this could be seen as an Elegant solutions. Unknown says right, but ASP.net [nofollow] is   supported by your host?

Peter Duggan

#11
January 13, 2005, 06:01:27 PM
Quote from: OvermindDL1 on January 09, 2005, 03:16:34 AM
Java I'd use on the web only, I still say it sucks to make real apps out of, it was not designed for that, it's not as portable as they want it to be.

Do you *mean* Java, or possibly JavaScript? ???

[Unknown]

#12
January 14, 2005, 01:28:32 AM
/*
Other security check here...
Like referer check
*/

Referers can be forged easily; I warn you that it's quite possible someone could use such a script to register hundreds of members at a time on your server.

-[Unknown]

thewiper

#13
January 14, 2005, 03:57:17 AM
Thanks for the info...
I have just considered this opportunity and i think i've the solutions. Let me code and i'll post.
Thanks again
Print
Go Up Pages1
User actions
Advertisement: