Page 1 of 2
[SOLVED] How to decode MD5 encoding?
Posted: Sat Aug 07, 2004 3:31 pm
by myleow
If a client sends a user name and password encoded with MD5 Digest, how do i decode it in PHP?
base64 has an encoder and decoder, i found the MD5 encoder but i don't see the decoder.
If there is no decoder, how do i gain access to the information that is sent to me?
Regards
Mian
Posted: Sat Aug 07, 2004 3:36 pm
by feyd
there is no decoder.. it's a one way hashing algorithm...
"decrypting" is done through brute force breaking of the data.. not a fun or fast operation.
Posted: Sat Aug 07, 2004 3:58 pm
by Joe
You can also use dictionary attackers, some of which are available online:
http://www.securitystats.com/tools/hashcrack.php
Posted: Sat Aug 07, 2004 4:24 pm
by evilmonkey
http://membres.lycos.fr/mdcrack/ You use it for evil, and I will get you...
Seriously though, hacking is not cool.
its not for Hacking
Posted: Sat Aug 07, 2004 4:46 pm
by myleow
SyncML credential authentication can come in two types of encryption.
Base64 and MD5
If the data is encrypted in Base64, base64_decode() works just fine.
What happen when i get an authentication request that the data is MD5 encryted. If i can't decypher it, how am i going to authenticate the access to the server?
If you can't tell, i am still on the project of building my own SyncML server.
Regards
Mian
Posted: Sat Aug 07, 2004 4:52 pm
by evilmonkey
The easiest way is to convert the user submitted string to md5().
Code: Select all
<?php
$pass=md5($_POST['pass']);
if ($pass == $db_pass) {
//authenticate
}
else {
//fail
}
?>
No clear text transpired
Posted: Sat Aug 07, 2004 5:21 pm
by myleow
Well the client doesn't key in the password from a website. The SyncML package is sent to the server from the Client's device.
The credential portion will look like this
Code: Select all
<Cred>
<Meta>
<Type>auth:MD5</Type>
</Meta>
<Data>YUioff7893hjfdnzu0hkjfsa9893333</Data>
<!-- Data is in the format USERNAME:PASSWORD -->
</Cred>
Encryption is done on the client device and has no clear text transaction with the server, all authentication is encrypted in either Base64 or MD5 before reaching the server.
So my question again is how to decrypt the MD5 encoded username and password being sent by the client. Encrypting every username and password in the Database for comparison is out of the question for obvious reasons.
Re: No clear text transpired
Posted: Sat Aug 07, 2004 5:27 pm
by timvw
myleow wrote:
So my question again is how to decrypt the MD5 encoded username and password being sent by the client.
And once again, the answer remains: MD5 is a one-way hashing method.
myleow wrote:
Encrypting every username and password in the Database for comparison is out of the question for obvious reasons.
Could you mention those obvious reasons then? Personally i think it's insane to store passwords cleartext in a database. Btw, you could have them cleartext in the database, and then MD5 on them, and compare with the recieved MD5 from the client.
Posted: Sat Aug 07, 2004 5:39 pm
by myleow
Well since username and password are both encrypted in MD5 from the Client. If you want to "find" the user's account in the database from the MD5 hash, then you would have to go through everyone's username and password hash to find it.
Its ok if you have 10 accounts in the DB, i think its ok if you have 10,000 accounts. What if you have to go through count(accounts)>millions? That would definitely slow things down and put a huge processing load on both the processor and the DB. Well that's the obvious reason for not comparing it to every account information in the Database.
Well i agree that encrypting the password before storing is fine since you would still be able to bring up the password through selecting the username. Problem here is both username and password are encrypted, so what are you selecting to get the password?
I think i will ignore the MD5 capability of SyncML until i find out how to make it work. Whenever i receive a MD5 encrypted <Cred>, i will just fail to authenticate and challenge the device to send a Base64 encrypted <Cred>.
Regards
Mian
Posted: Sat Aug 07, 2004 5:43 pm
by feyd
well... something you could do is store their password as the hashed username/password string that'd get sent. Which you can do during registration.. and it's very easy to do with base64'd data..
Posted: Sat Aug 07, 2004 5:56 pm
by myleow
How am i going to know which account to retrieve from the Database?
The only form of client authentication for a SyncML package is the encrypted username:password.
I have no idea in knowing who it is.... hmm.... maybe there is a way using IMEI. but there might be a problem since if you Sync using a computer then there are no IMEI number associated with the computer. IMEI is only available to Mobile Phones. And you have to deal with conflict resolution when a user sells the phone and the new owner register as well. Then how to know if the old user quit or the new user is hacking?
haha!
Regards
Mian
The problem is like saying.
I registered with your server, my username =myleow and my password =phpnewbie which is stored into your server database (However you like it).
Then i want to log into the server, but the only authentication i send to you is username:password hash, which is say HJKh8979hfd. This data is sent to your server via POST from my Device and not through a browser accessing your index.php. So you are dealing with $HTTP_RAW_POST_DATA.
Question. How do you know which is my account to allow me access? I think this clears up the dilemma.
Posted: Sat Aug 07, 2004 6:07 pm
by feyd
well.. pretty much, only 1 username:password combo will create the proper md5 hash.. so you can just search for the proper hash, if you retrieve 2 (which is extremely unlikely) you can ask them to verify their username.. or something else that isn't made public..
Posted: Sat Aug 07, 2004 6:23 pm
by myleow
so you are suggesting that i store the md5 hash of username:password along with storing the username and password?
but i think that is a good idea, thanks for the solution. I will give it a try.
Regards
Mian
mcrypt
Posted: Sat Aug 07, 2004 10:15 pm
by anjanesh
You might also try using mcrypt fuctions where you can specify a key and decrypt them with the same key.
string mcrypt_encrypt ( string cipher, string key, string data, string mode [, string iv])
string mcrypt_decrypt ( string cipher, string key, string data, string mode [, string iv])
But you have to enable the php_mcrypt.dll extension.
This is strange. I haveve extension_dir = "c:\PHP\extensions\" and
extension=php_exif.dll and extension=php_gd2.dll are enabled and working perfectly but when I uncommented ;extension=php_mcrypt.dll and restarted IIS it showed unable to load module(). For the prev two extensions I didn't copy to system32 folder or whatever. Just uncomment it and it works - so I thought. Need to figure out why mcrypt dll is not loading.
Posted: Sun Aug 08, 2004 12:34 am
by feyd
it probably needs a support dll anjanesh.. and that doesn't help myleow at all as the crypted data, is passed to him, he's not crypting it..
