Page 1 of 1

challenge response code with sha512 instead of sha256

Posted: Sun Sep 03, 2006 4:55 pm
by gf05856
I see that the Challenge/response tutorial now supports sha256 including the javascript version,
Is there a way to replace this with the php build in sha512 version?
I think I already managed to change some code but do not know where to start to replace the javascript ...

Code: Select all

(login.php)
Original: $expected_response = SHA256::hash($response_string);
New: $expected_response = hash('sha512', $response_string);

Original: if(SHA256::hash($_POST['userpass']) == $user['password'])
New:  if(hash('sha512',($_POST['userpass'])) == $user['password'])

and 
(index.php)
Orininal: $challenge = SHA256::hash(uniqid(mt_rand(), true));
New: $challenge = hash('sha512', (uniqid(mt_rand(), true)));
The javascript code in the form go's like this ... should I replace it with something from php or ajax?!?

Code: Select all

<script language="javascript" src="sha256.js" type="text/javascript"></script>
<!--
    Include a javascript function to manipulate our form data, i.e. to generate a Response string, delete
    userpass and challenge prior to allowing submission. Rem: we don't want to send a plain text password!
-->
<script language="javascript" type="text/javascript">
<!--
  function doChallengeResponse() {
    str = document.login_form.username.value.toLowerCase() + ":" +
    sha256_digest(document.login_form.userpass.value) + ":" +
    document.login_form.challenge.value;
    document.login_form.userpass.value = "";
    document.login_form.challenge.value = "";
    document.login_form.response.value = sha256_digest(str);
    return false;
  }
// -->
</script>
</head>
<body>
<h3>Challenge Response Login Form</h3>
<br />
<br />
    <!--
        Our form has 4 fields - but only 2 are submitted. The doChallengeResponse() javascript function
        will generate a Response and set it as the value of 'response'. The same function will also unset
        the value of the 'userpass' field, and 'challenge' field which we DO NOT want sent!

        The javacript function is called when the user submits the form - see the onsubmit tag...
    -->
    <form method="post" action="login.php" name="login_form" id="login_form" onsubmit="doChallengeResponse()">
    Username:&nbsp;&nbsp;<input type="text" name="username" id="username" value="" size="16" />
    <br />
    Password:&nbsp;&nbsp;<input type="password" name="userpass" id="userpass" value="" size="16" />
    <br /><br />
    <input type="reset" name="u_reset" id="u_reset" value="Reset" />&nbsp;&nbsp;<input type="submit" name="u_submit" id="u_submit" value="Login" />
    <!--
        Insert the Challenge value from the server with a small PHP echo()
    -->
    <input type="hidden" name="challenge" id="challenge" value="<?php echo($challenge); ?>" />
    <!--
        Our 'response' field will be filled by the javascript function once the Response string is generated
    -->
    <input type="hidden" name="response" id="response" value="" />
</form>
Thanks for your support!

Posted: Sun Sep 03, 2006 5:02 pm
by feyd
You'll need a Javascript version of SHA512.

Posted: Sun Sep 03, 2006 5:03 pm
by gf05856
Then I am doommmmmmmmmed to wait until you write one?

Did not find any on google...

Posted: Sun Sep 03, 2006 5:50 pm
by feyd
I have no plan to write one. The plan is to write the pure php versions only. You may not know this but I didn't write the Javascript version in that tutorial, only the PHP version.

Posted: Mon Sep 04, 2006 2:55 pm
by gf05856
Just for info, asked some people around, and apparently the javascript machines out there (at least IE & Firefox) do not support 64bit ints which makes it almost impossible to write a javascript that copes with 64bit ints instead of 32bit ints so sha512 and sha384 can't be implemented in javascript right now (at least without going through loads of pain to make all the 64bit math with 32bit ints).

Posted: Mon Sep 04, 2006 3:52 pm
by feyd
haha, those people apparently don't know how to do 64bit math on 32bit machines then I guess. It's not all that more difficult, just need to build an INT64 library (if one doesn't already exist, which I find hard to believe.)

Just so you know, PHP doesn't have 64bit support on most platforms, yet it's quite possible for me to write a library to do them without trouble.