Re: Hashing a password

On Sun, 23 Mar 2008 16:44:24 -0700, Joshua B wrote:

I'm trying to hash a password given the password entered as a string and
a hashkey that I'm given from elsewhere. Here are the instructions I
have for doing the hashing:

"Receive a single line, turn it into bytes. This is the password hashing
key. It's 32 bytes long."
"For each character pw[i] in the password, compute (pw[i] - 0x20) ^
hashkey[i] + 0x20."

This is how I read the key:

$hashkey = fgets($this->socket);

Then I call my hash function:

$hashpw = $this->hashPassword($password, $hashkey);

private function hashPassword($password, $hashkey) {
$stop = strlen($password);
if ($stop > strlen($hashkey)) {
$stop = strlen($hashkey);
}

You only need to check to see if $password is less than or equal to 32 as
the hash key is 32 bytes long.


$hashpw = "";
for ($i = 0; $i < $stop; $i++) {
$hashpw[$i] = (($password[$i] - 0x20) ^ $hashkey[$i]) +
0x20;
}
return $hashpw;
}

Only that doesn't seem to work. I'm assuming it's maybe not treating
the characters correctly when moving stuff around, but I don't know
enough about how PHP does that to know. I've tried a few different
things but nothing seems to work. (Work as in, when I send $hashpw out
it's rejected as being an invalid password. I'm using a simple test so
I know it's not an issue of typing the wrong password.)

Any ideas?


What language was this originally written in?

If written in C

"For each character pw[i] in the password, compute (pw[i] - 0x20) ^
hashkey[i] + 0x20."

And if I recall correctly:

(pw[i] - 0x20) -- "Strip ASCII bias"

^ hashkey[i] -- Bitwise exclusive OR

+ 0x20 -- Return value to ASCII

I take it that the hash key is some 8 bit binary code?

I would try using an array for hashpw instead of a string value, a
string value in PHP may be larger than 8 bits, It could be platform
dependent, possibly being 16 or 32 bits long. That would make the XOR
return some invalid result, ie promoting an 8 bit value (hash key) to a
16 bit value before doing the XOR.

Another thing you may want to try is to copy the operands into a numeric
variable then preform the XOR operation back into a numeric variable,
then place the result back into the string. I don't know how PHP is
massaging the string to integer to string conversions.

Manipulating a passwords with a simple XOR is not very secure. It is
only better than almost no security.

--
Tayo'y Mga Pinoy
.

Relevant Pages

  • Re: Java OO syntax reader macro
    ... I can't use arbitrary lisp expression as the hash key (string name ... It seems that to achieve what I want I still have to consume the stream ... (values pos (nth (position pos results) ...
    (comp.lang.lisp)
  • Re: Preventing large runs of identical bits.
    ... way I can xor the xor result, and repeat that process X times, so that ... the chance of that input string creating a constant bit string ... I'm using it for an encryption algorithm I'm writing, ... I'm asking it in the compression newsgroup rather than an encryption ...
    (comp.compression)
  • Encryption A97
    ... I've been playing with some encryption code from the web ... and have been pleased with this sample code from Rob Bovey. ... Essentially it takes a string and puts it through an XOR process and saves ...
    (microsoft.public.access.modulesdaovba)
  • Re: Get ASCII value for character when higher than 127
    ... MrAsm, you are not using the same way to XOR as I do, so your ... The reason why I use string& in stead of just string is because ... I'd prefer to adjust something to my code in stead of rewriting parts ...
    (microsoft.public.vc.language)
  • Re: Get ASCII value for character when higher than 127
    ... this is my C++ version of XOR function: ... // Crypt a string using XOR. ... // is not copied into the destination array. ... const std::string & value, ...
    (microsoft.public.vc.language)