smf, password, java, special signs

Started by Bacsu, July 16, 2009, 07:07:02 AM

Previous topic - Next topic

Bacsu

Hello there,

I've another question to the crypted passwords at the DB. I'm trying to let a Java browsergame use the forumDB. This works fine as long the user has no special signs like " !|" at his username or pw. The SHA-1 hash generated by smf getting completly different to than crypted by Java or manual insert with phpmyadmin at the DB. What's smf doing with special signs if a hash getting generated? Is there any way to fix it at Java?

N3RVE

Moving this to a more appropriate section.

-[n3rve]
Ralph "[n3rve]" Otowo
Former Marketing Co-ordinator, Simple Machines.
ralph [at] simplemachines [dot] org                       
Quote"Somewhere, something incredible is waiting to be known." - Carl Sagan


H

Have you looked at the php code SMF uses for the password?

sha1(strtolower($username) . $password)

As you can see, I don't think anything special is done there unless the core php functions themselves are doing something. People have asked about java here before, so a search may bring up a working java 'hash checker'
-H
Former Support Team Lead
                              I recommend:
Namecheap (domains)
Fastmail (e-mail)
Linode (VPS)
                             

Bacsu

Yep. I made strtolower id+password. Users who has no numbers or special signs can log in. Users with special signs can't log in.

H

Did you have a look at just generating hashes in php (without SMF) and the function above? That should show you if it is something php is doing or if SMF is doing something with the password somewhere
-H
Former Support Team Lead
                              I recommend:
Namecheap (domains)
Fastmail (e-mail)
Linode (VPS)
                             

Bacsu

yep. Did it. Its the same hash. Finaly i found where smf is checking for the password and i didn't know its checking on this much ways. smf isn't only checking for pure sha-1 or salted sha-1. It's also checking for md5, cryt function, md5(md5) aso aso aso. This can getting be interesting to integrate this to java.

H

SMF doesn't use md5/md5 salt/pure sha1/crypt. These are just intended to support people who have converted to SMF from another forum software. Anyone using these old hash methods will be prompted to update their password after they login for the first time
-H
Former Support Team Lead
                              I recommend:
Namecheap (domains)
Fastmail (e-mail)
Linode (VPS)
                             

Bacsu


H

So if the sha1 hash with username & password in 'pure php' is generating the same hash as SMF that must mean something is different in java. I did a search for sha1 php java and some topics did appear on differences between the two
-H
Former Support Team Lead
                              I recommend:
Namecheap (domains)
Fastmail (e-mail)
Linode (VPS)
                             

Bacsu

eh my bad. sah-1 at java, pure php(without smf) and coded by sql database is the same. Only the hash of smf is different.

H

Are you definitely putting the username into lowercase in the same way as SMF?
Have you checked the values of username and password that SMF has before hashing them? Perhaps something in the password is being escaped resulting in a different hash
-H
Former Support Team Lead
                              I recommend:
Namecheap (domains)
Fastmail (e-mail)
Linode (VPS)
                             

青山 素子

Motoko-chan
Director, Simple Machines

Note: Unless otherwise stated, my posts are not representative of any official position or opinion of Simple Machines.


wora_hr

#13
It might be little old post, but I have same problems with hash difference in java and php before some time .. here is the solution and explanation.

The thing is for example to use the same algorithm:

@PHP
hash_hmac('sha256', utf8_encode("somesecret"), utf8_encode( trim($another)),false);
... not so important but get you a point to >>> hmac and sha256



And than in java note:

Mac mac = Mac.getInstance("HmacSha256");
String key = "someKeyToEncode";
         String phrase = "secretPhraseSalt";
         SecretKeySpec secret = new SecretKeySpec(key.getBytes(),
               "HmacSha256");
         mac.init(secret);
         byte[] shaDigest = mac.doFinal(phrase.getBytes());
         String hash = "";
         for (byte b : shaDigest) {
            hash += String.format("%02x", b);
         }
//you can compare that now.. as something like...

if(hash.equalsIgnoreCase(confirmationKeyFromPHP)){return true;}

And here is your hash ready for compare. Logic is from some my auth check, since I communicate some approval by sending hashes from PHP to Java, and back. But to be able to compare these hashes generated on java or Php they must use the same SHA alg. HMACSHA_xxx




I do not know to much of php, but I researched difference in default sha alg. used. ;)


By the way: this verification thing is annoying. I allready loged in.. Should I proove that I am an human on every post change??? Sorry but this is not good UE.

Aleksi "Lex" Kilpinen

Marking this topic solved, as it is years old and the original discussion has died.
Slava
Ukraini!


"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

Advertisement: