Md5 And Salts
来源:互联网 发布:python库有多少 编辑:程序博客网 时间:2024/05/17 03:10
zt http://www.governmentsecurity.org/forum/index.php?showtopic=15193
joewhite
I can't understand hashes and salts. I made a password of 'a' on my Invision Forum and then I looked up the hash and the salt for it in my database. I typed in the salt and then 'a' beside it through Cain and Abel and got it to convert it to an MD5. I thought this hash would turn out the same as the one recorded in the forum. This is because I thought the salt gets appended to the password and then it is hashed. By appending a known salt to a known password I thought the hash would turn out the same. When I did this though the hash turned out different from the one recorded in the Invision Forum. Please explain
nuorder
i posted this a while ago elsewhere and it seems to relate to your question
the following ipb function generates a random 5 character salt when that user registers their account for the first time. Note that random time is used.
function generate_password_salt($len=5)
{
$salt = '';
srand( (double)microtime() * 1000000 );
for ( $i = 0; $i < $len; $i++ )
{
$num = rand(33, 126);
if ( $num == '92' )
$num = 93;
$salt .= chr( $num );
}
return $salt;
}
now lets say that our randomly generated salt is '12345' (ok im being boring)
And that our password we use to login is 'qwerty'
take a look at the ibf_members_converge table it contains two important values
converge_pass_salt: contains the value '12345'
converge_pass_hash: contains md5( md5('12345').md5('qwerty') )
so this is what happens during authentication
if ( $this->member['converge_pass_hash'] == $this->generate_compiled_passhash( $this->member['converge_pass_salt'], $md5_once_password ) )
return TRUE; //all good :)
$this->member[] is just a private array of the class_converge which contains some of these values i mentioned
Take a look at class_converge.php it is where most of the action is at
To bruteforce the hashes you need the ibf_members_converge table.
1 pass of a generalised brute forcer may look like this:
if ( md5(salthash.md5(currvalue)) == myhash)
salthash is the md5 hash of our salt, currvalue is the current bruteforce string (eg a,ab,abc,etc), myhash is the hash you want to crack
Basically double the effort is required to break this and rainbowtables cant be used
As far is i can tell member_login_key which is in the ibf_members table is only to do with autologin? but i may be wrong
Please correct me if im wrong in any of this but you get the gist of it.
This is a smart move by forum developers to use a salt in order to protect their precious users so put your thinking hats on
the following ipb function generates a random 5 character salt when that user registers their account for the first time. Note that random time is used.
CODE
function generate_password_salt($len=5)
{
$salt = '';
srand( (double)microtime() * 1000000 );
for ( $i = 0; $i < $len; $i++ )
{
$num = rand(33, 126);
if ( $num == '92' )
$num = 93;
$salt .= chr( $num );
}
return $salt;
}
now lets say that our randomly generated salt is '12345' (ok im being boring)
And that our password we use to login is 'qwerty'
take a look at the ibf_members_converge table it contains two important values
converge_pass_salt: contains the value '12345'
converge_pass_hash: contains md5( md5('12345').md5('qwerty') )
so this is what happens during authentication
CODE
if ( $this->member['converge_pass_hash'] == $this->generate_compiled_passhash( $this->member['converge_pass_salt'], $md5_once_password ) )
return TRUE; //all good :)
$this->member[] is just a private array of the class_converge which contains some of these values i mentioned
Take a look at class_converge.php it is where most of the action is at
To bruteforce the hashes you need the ibf_members_converge table.
1 pass of a generalised brute forcer may look like this:
if ( md5(salthash.md5(currvalue)) == myhash)
salthash is the md5 hash of our salt, currvalue is the current bruteforce string (eg a,ab,abc,etc), myhash is the hash you want to crack
Basically double the effort is required to break this and rainbowtables cant be used
As far is i can tell member_login_key which is in the ibf_members table is only to do with autologin? but i may be wrong
Please correct me if im wrong in any of this but you get the gist of it.
This is a smart move by forum developers to use a salt in order to protect their precious users so put your thinking hats on
- Md5 And Salts
- URLEncoded URLDecode and md5
- python ftp and local compare md5
- md5
- MD5
- MD5
- MD5
- MD5
- MD5
- MD5
- MD5
- md5
- MD5
- MD5
- MD5
- MD5
- MD5
- MD5
- 详解对密码执行散列和salt运算方法
- Cannot find SERVER hostname in network database
- SQL Server开发的二十一条军规
- c#使用有感
- 偶来咯
- Md5 And Salts
- 以前用java写的计算器程序
- Some useful tools for the Web Developer
- 祝福老婆今天有个好的周末
- web上水晶報表9的列印10/28
- 日记 2005.10.28
- 我的黄金时代--游戏篇(序)
- qmail简单安装
- Did you know?