Password hashing and/or encryption egroupware 1.8.004

deeztek 2013-03-08 18:41:13 UTC #1

Can someone explain to me how the password hashing and/or encryption is working in particular sha512_crypt in egroupware? If they are hashed, is there a salt value and if so, where’s the salt value stored. If they are encrypted, what’s the encryption algorithm?

Thanks

Ralf_Becker_Stylite 2013-03-09 08:01:27 UTC #2

Can someone explain to me how the password hashing and/or encryption is
working in particular sha512_crypt in egroupware? If they are hashed, is
there a salt value and if so, where’s the salt value stored. If they are
encrypted, what’s the encryption algorithm?

http://www.php.net/manual/en/function.crypt.php

search for CRYPT_SHA512

Salt is part of the hash, see above link.

Ralf

Ralf Becker
Director Software Development

Stylite AG

Morschheimer Strasse 15 | Tel. +49 6352 70629 0
D-67292 Kirchheimbolanden | Fax. +49 6352 70629 30

Email: rb@stylite.de

www.stylite.de | www.egroupware.org

Managing Directors: Andre Keller | Ralf Becker | Gudrun Mueller
Chairman of the supervisory board: Prof. Dr. Birger Leon Kropshofer

VAT DE214280951 | Registered HRB 31158 Kaiserslautern Germany

Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester
Wave™: Endpoint Security, Q1 2013 and “remains a good choice” in the
endpoint security space. For insight on selecting the right partner to
tackle endpoint security challenges, access the full report.
http://p.sf.net/sfu/symantec-dev2dev

eGroupWare-users mailing list
eGroupWare-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/egroupware-users

deeztek 2013-03-09 13:02:49 UTC #3

So, is the salt provided to the crypt function? I’m assuming it’s provided since hashing is one way only so, where is the salt value stored?

Ralf_Becker_Stylite 2013-03-11 07:59:14 UTC #4

So, is the salt provided to the crypt function? I’m assuming it’s provided
since hashing is one way only so, where is the salt value stored?

For crypt salt is stored as part of the hash, eg. for crypt_sha512:

$6$[rounds=N$]$

php > var_dump(crypt(‘secret’,’$6$hash567890123456’));
string(106)
"$6$hash567890123456$/aW3kkMsleqgW9tcbAGmPniq4SwwxITBr/KgfUtwMUb7ogEY4YzCWHtDIvUwS4qYkYbepuL7Fa2NInTVZPpc/."

Code is here starting around line 432:

http://svn.stylite.de/viewvc/egroupware/trunk/phpgwapi/inc/class.auth.inc.php?revision=41791&view=markup

Ralf

Ralf Becker
Director Software Development

Stylite AG

Morschheimer Strasse 15 | Tel. +49 6352 70629 0
D-67292 Kirchheimbolanden | Fax. +49 6352 70629 30

Email: rb@stylite.de

www.stylite.de | www.egroupware.org

Managing Directors: Andre Keller | Ralf Becker | Gudrun Mueller
Chairman of the supervisory board: Prof. Dr. Birger Leon Kropshofer

VAT DE214280951 | Registered HRB 31158 Kaiserslautern Germany

eGroupWare-users mailing list
eGroupWare-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/egroupware-users

deeztek 2013-03-11 10:49:17 UTC #5

So for this example password:

{crypt}$6$8W2nXYP2YhgxuSDk$aYEhNk04T5fNxzNPOS3FPoJ46tkhj9QNDAqtyuotu.LCi15K0Jqjk.t2M5kOnPckkO7q27P.g3VhsFWxOdGZD0

the salt value is:

8W2nXYP2YhgxuSDk

And the actual SHA512 hashed password that was produced with the above salt is:

aYEhNk04T5fNxzNPOS3FPoJ46tkhj9QNDAqtyuotu.LCi15K0Jqjk.t2M5kOnPckkO7q27P.g3VhsFWxOdGZD0

Is that correct?

Are you also using the default 5000 rounds?

I’m also assuming the {crypt} part at the beginning is also required? I’m not a PHP programmer. I’m trying to replicate the functionality using CFML, so I’m just trying to figure out how it works. I really appreciate this.

Thank you so much

Ralf_Becker_Stylite 2013-03-11 11:44:54 UTC #6

So for this example password:

{crypt}$6$8W2nXYP2YhgxuSDk$aYEhNk04T5fNxzNPOS3FPoJ46tkhj9QNDAqtyuotu.LCi15K0Jqjk.t2M5kOnPckkO7q27P.g3VhsFWxOdGZD0

the salt value is:

8W2nXYP2YhgxuSDk

And the actual SHA512 hashed password that was produced with the above salt
is:

aYEhNk04T5fNxzNPOS3FPoJ46tkhj9QNDAqtyuotu.LCi15K0Jqjk.t2M5kOnPckkO7q27P.g3VhsFWxOdGZD0

Is that correct?

Yes

Are you also using the default 5000 rounds?

Yes, thought EGroupware would understand a hash like
"$6$rounds=10000$$ hash.

I’m also assuming the {crypt} part at the beginning is also required?

That’s an LDAP convention we are using in our database too, to be able
to support different hashing methods.

I’m not a PHP programmer. I’m trying to replicate the functionality using CFML,
so I’m just trying to figure out how it works. I really appreciate this.

I thought that’s an already dead technology

Ralf

Ralf Becker
Director Software Development

Stylite AG

Morschheimer Strasse 15 | Tel. +49 6352 70629 0
D-67292 Kirchheimbolanden | Fax. +49 6352 70629 30

Email: rb@stylite.de

www.stylite.de | www.egroupware.org

Managing Directors: Andre Keller | Ralf Becker | Gudrun Mueller
Chairman of the supervisory board: Prof. Dr. Birger Leon Kropshofer

VAT DE214280951 | Registered HRB 31158 Kaiserslautern Germany

eGroupWare-users mailing list
eGroupWare-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/egroupware-users

deeztek 2013-03-11 12:56:14 UTC #7

Awesome. Thanks for the help. I think I have what I need to get this going.

Also, CFML is absolutely not dead. Adobe just released version 10 of coldfusion. In addition to coldfusion, there are two very powerful free open source CFML engines out there (railo and openbd) that run on top of tomcat and apache that are being constantly developed and new features added. Railo is also a jboss project. There are plans to have a CFML stack similar to the LAMP stack available for distros. Just looking at the PHP code for the password function in your application, that whole functionality can be accomplished in 5 lines of code using CFML and that would additionally include encrypting the salt value and storing in the database encrypted.

Cheers