[SOLVED] How to decode MD5 encoding?
Moderator: General Moderators
[SOLVED] How to decode MD5 encoding?
If a client sends a user name and password encoded with MD5 Digest, how do i decode it in PHP?
base64 has an encoder and decoder, i found the MD5 encoder but i don't see the decoder.
If there is no decoder, how do i gain access to the information that is sent to me?
Regards
Mian
base64 has an encoder and decoder, i found the MD5 encoder but i don't see the decoder.
If there is no decoder, how do i gain access to the information that is sent to me?
Regards
Mian
Last edited by myleow on Sat Aug 07, 2004 6:35 pm, edited 1 time in total.
You can also use dictionary attackers, some of which are available online:
http://www.securitystats.com/tools/hashcrack.php
http://www.securitystats.com/tools/hashcrack.php
- evilmonkey
- Forum Regular
- Posts: 823
- Joined: Sun Oct 06, 2002 1:24 pm
- Location: Toronto, Canada
http://membres.lycos.fr/mdcrack/ You use it for evil, and I will get you...
Seriously though, hacking is not cool.
Seriously though, hacking is not cool.
its not for Hacking
SyncML credential authentication can come in two types of encryption.
Base64 and MD5
If the data is encrypted in Base64, base64_decode() works just fine.
What happen when i get an authentication request that the data is MD5 encryted. If i can't decypher it, how am i going to authenticate the access to the server?
If you can't tell, i am still on the project of building my own SyncML server.
Regards
Mian
Base64 and MD5
If the data is encrypted in Base64, base64_decode() works just fine.
What happen when i get an authentication request that the data is MD5 encryted. If i can't decypher it, how am i going to authenticate the access to the server?
If you can't tell, i am still on the project of building my own SyncML server.
Regards
Mian
- evilmonkey
- Forum Regular
- Posts: 823
- Joined: Sun Oct 06, 2002 1:24 pm
- Location: Toronto, Canada
The easiest way is to convert the user submitted string to md5().
Code: Select all
<?php
$pass=md5($_POST['pass']);
if ($pass == $db_pass) {
//authenticate
}
else {
//fail
}
?>No clear text transpired
Well the client doesn't key in the password from a website. The SyncML package is sent to the server from the Client's device.
The credential portion will look like this
Encryption is done on the client device and has no clear text transaction with the server, all authentication is encrypted in either Base64 or MD5 before reaching the server.
So my question again is how to decrypt the MD5 encoded username and password being sent by the client. Encrypting every username and password in the Database for comparison is out of the question for obvious reasons.
The credential portion will look like this
Code: Select all
<Cred>
<Meta>
<Type>auth:MD5</Type>
</Meta>
<Data>YUioff7893hjfdnzu0hkjfsa9893333</Data>
<!-- Data is in the format USERNAME:PASSWORD -->
</Cred>So my question again is how to decrypt the MD5 encoded username and password being sent by the client. Encrypting every username and password in the Database for comparison is out of the question for obvious reasons.
Re: No clear text transpired
And once again, the answer remains: MD5 is a one-way hashing method.myleow wrote: So my question again is how to decrypt the MD5 encoded username and password being sent by the client.
Could you mention those obvious reasons then? Personally i think it's insane to store passwords cleartext in a database. Btw, you could have them cleartext in the database, and then MD5 on them, and compare with the recieved MD5 from the client.myleow wrote: Encrypting every username and password in the Database for comparison is out of the question for obvious reasons.
Well since username and password are both encrypted in MD5 from the Client. If you want to "find" the user's account in the database from the MD5 hash, then you would have to go through everyone's username and password hash to find it.
Its ok if you have 10 accounts in the DB, i think its ok if you have 10,000 accounts. What if you have to go through count(accounts)>millions? That would definitely slow things down and put a huge processing load on both the processor and the DB. Well that's the obvious reason for not comparing it to every account information in the Database.
Well i agree that encrypting the password before storing is fine since you would still be able to bring up the password through selecting the username. Problem here is both username and password are encrypted, so what are you selecting to get the password?
I think i will ignore the MD5 capability of SyncML until i find out how to make it work. Whenever i receive a MD5 encrypted <Cred>, i will just fail to authenticate and challenge the device to send a Base64 encrypted <Cred>.
Regards
Mian
Its ok if you have 10 accounts in the DB, i think its ok if you have 10,000 accounts. What if you have to go through count(accounts)>millions? That would definitely slow things down and put a huge processing load on both the processor and the DB. Well that's the obvious reason for not comparing it to every account information in the Database.
Well i agree that encrypting the password before storing is fine since you would still be able to bring up the password through selecting the username. Problem here is both username and password are encrypted, so what are you selecting to get the password?
I think i will ignore the MD5 capability of SyncML until i find out how to make it work. Whenever i receive a MD5 encrypted <Cred>, i will just fail to authenticate and challenge the device to send a Base64 encrypted <Cred>.
Regards
Mian
How am i going to know which account to retrieve from the Database?
The only form of client authentication for a SyncML package is the encrypted username:password.
I have no idea in knowing who it is.... hmm.... maybe there is a way using IMEI. but there might be a problem since if you Sync using a computer then there are no IMEI number associated with the computer. IMEI is only available to Mobile Phones. And you have to deal with conflict resolution when a user sells the phone and the new owner register as well. Then how to know if the old user quit or the new user is hacking?
haha!
Regards
Mian
The problem is like saying.
I registered with your server, my username =myleow and my password =phpnewbie which is stored into your server database (However you like it).
Then i want to log into the server, but the only authentication i send to you is username:password hash, which is say HJKh8979hfd. This data is sent to your server via POST from my Device and not through a browser accessing your index.php. So you are dealing with $HTTP_RAW_POST_DATA.
Question. How do you know which is my account to allow me access? I think this clears up the dilemma.
The only form of client authentication for a SyncML package is the encrypted username:password.
I have no idea in knowing who it is.... hmm.... maybe there is a way using IMEI. but there might be a problem since if you Sync using a computer then there are no IMEI number associated with the computer. IMEI is only available to Mobile Phones. And you have to deal with conflict resolution when a user sells the phone and the new owner register as well. Then how to know if the old user quit or the new user is hacking?
haha!
Regards
Mian
The problem is like saying.
I registered with your server, my username =myleow and my password =phpnewbie which is stored into your server database (However you like it).
Then i want to log into the server, but the only authentication i send to you is username:password hash, which is say HJKh8979hfd. This data is sent to your server via POST from my Device and not through a browser accessing your index.php. So you are dealing with $HTTP_RAW_POST_DATA.
Question. How do you know which is my account to allow me access? I think this clears up the dilemma.
mcrypt
You might also try using mcrypt fuctions where you can specify a key and decrypt them with the same key.
string mcrypt_encrypt ( string cipher, string key, string data, string mode [, string iv])
string mcrypt_decrypt ( string cipher, string key, string data, string mode [, string iv])
But you have to enable the php_mcrypt.dll extension.
This is strange. I haveve extension_dir = "c:\PHP\extensions\" and
extension=php_exif.dll and extension=php_gd2.dll are enabled and working perfectly but when I uncommented ;extension=php_mcrypt.dll and restarted IIS it showed unable to load module(). For the prev two extensions I didn't copy to system32 folder or whatever. Just uncomment it and it works - so I thought. Need to figure out why mcrypt dll is not loading.
string mcrypt_encrypt ( string cipher, string key, string data, string mode [, string iv])
string mcrypt_decrypt ( string cipher, string key, string data, string mode [, string iv])
But you have to enable the php_mcrypt.dll extension.
This is strange. I haveve extension_dir = "c:\PHP\extensions\" and
extension=php_exif.dll and extension=php_gd2.dll are enabled and working perfectly but when I uncommented ;extension=php_mcrypt.dll and restarted IIS it showed unable to load module(). For the prev two extensions I didn't copy to system32 folder or whatever. Just uncomment it and it works - so I thought. Need to figure out why mcrypt dll is not loading.