Home > Archive > PERL Beginners > April 2007 > Encryption
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
|
|
| Andreas Moroder 2007-04-27, 6:58 pm |
| Hello,
I have to calculate a hash of username and password in perl.
The calculation should be done this way:
1. Concatenate the username and the password to produce a plaintext string;
2. Convert the plaintext string to uppercase characters;
3. Convert the plaintext string to multi-byte storage format; ASCII
characters have the
high byte set to 0x00;
4. Encrypt the plaintext string (padded with 0s if necessary to the next
even block length)
using the DES algorithm in cipher block chaining (CBC) mode with a fixed
key value of
0x0123456789ABCDEF;
5. Encrypt the plaintext string again with DES-CBC, but using the last
block of the output
of the previous step (ignoring parity bits) as the encryption key. The
last block of the
output is converted into a printable string to produce the password hash
value.
Is it possible to implement this in perl ?
Is the Crypt-DES Module on CPAN the right module and how can I convert
standard string to Multibyte storage ( UTF-16 ? )
An example ist
User: example
password: test
hash: BDA63848A8C31752
I don't need this script to hack anything, we would like to modify oru
oracle paasword from a webfrontend.
Thanks
Andreas
| |
| Martin Barth 2007-04-27, 6:58 pm |
| Hi
On Fri, 27 Apr 2007 11:33:47 +0200
Andreas Moroder <andreas.moroder@sb-brixen.it> wrote:
> Hello,
>
> I have to calculate a hash of username and password in perl.
> The calculation should be done this way:
>
first the easy stuff, I think you already know that answers to that:
> 1. Concatenate the username and the password to produce a plaintext string;
$username . $password;
> 2. Convert the plaintext string to uppercase characters;
uc();
> 3. Convert the plaintext string to multi-byte storage format; ASCII
> characters have the
> high byte set to 0x00;
I am not sure, but i think that could help you:
http://search.cpan.org/~dankogai/Encode-2.20/
> 4. Encrypt the plaintext string (padded with 0s if necessary to the next
> even block length)
> using the DES algorithm in cipher block chaining (CBC) mode with a fixed
> key value of
> 0x0123456789ABCDEF;
hava a look at:
http://search.cpan.org/~dparis/Cryp...05/DES.pm#NOTES
they say that the Encryption is done by 8byte blockes.
your key is 8byte long, that sounds quite good :)
> 5. Encrypt the plaintext string again with DES-CBC, but using the last
> block of the output
> of the previous step (ignoring parity bits) as the encryption key. The
> last block of the
> output is converted into a printable string to produce the password hash
> value.
>
> Is it possible to implement this in perl ?
It should work :)
HTH Martin
| |
| Zentara 2007-04-27, 6:58 pm |
| On Fri, 27 Apr 2007 11:33:47 +0200, andreas.moroder@sb-brixen.it
(Andreas Moroder) wrote:
>Hello,
>
>I have to calculate a hash of username and password in perl.
>The calculation should be done this way:
>
>1. Concatenate the username and the password to produce a plaintext string;
>2. Convert the plaintext string to uppercase characters;
>3. Convert the plaintext string to multi-byte storage format; ASCII
>characters have the
>high byte set to 0x00;
>4. Encrypt the plaintext string (padded with 0s if necessary to the next
>even block length)
>using the DES algorithm in cipher block chaining (CBC) mode with a fixed
>key value of
>0x0123456789ABCDEF;
>5. Encrypt the plaintext string again with DES-CBC, but using the last
>block of the output
>of the previous step (ignoring parity bits) as the encryption key. The
>last block of the
>output is converted into a printable string to produce the password hash
>value.
>
>Is it possible to implement this in perl ?
>Is the Crypt-DES Module on CPAN the right module and how can I convert
>standard string to Multibyte storage ( UTF-16 ? )
>An example ist
>
>User: example
>password: test
>hash: BDA63848A8C31752
>
>I don't need this script to hack anything, we would like to modify oru
>oracle paasword from a webfrontend.
>
>Thanks
>Andreas
I'm a bit unclear about step 5, but it should be doable in Perl once
you determine the EXACT steps you need to take. Here are some tips
to maybe get you through the first four steps.
This my be far off from what Oracle needs, but it seems to work
for your first 4 steps. Some questions remain, like do you need a salt?
What do you use to convert back to plaintext hash? Base64encode?
What does "ignore parity bits" mean?
You may want to ask this on http://perlmonks.org, where more
saavy encryption and Oracle monks hang out. But make sure you
can specify the EXACT steps needed. I'm sure it can be done.
To be honest, I would assume that the Oracle designers have made this
quite tricky to avoid hacking their passwords.
#!/usr/bin/perl
use warnings;
use strict;
use Crypt::CBC;
use Encode;
my $key = pack("H16", "0123456789ABCDEF");
my $user = 'example';
my $password = 'test';
my $plaintext = uc($user.$password);
print("$plaintext\n");
#converted it to bytes via utf-16le (take a look at "perldoc
perlunicode")
my $octets = encode("utf-16", $plaintext);
print "utf16-> $octets\n";
my $cipher = Crypt::CBC->new(
-key => $key,
-cipher => 'DES',
# -salt => 1,
);
my $ciphertext = $cipher->encrypt($octets);
print("$ciphertext\n");
my $recovered = $cipher->decrypt($ciphertext);
print("$recovered\n");
# step 5 I'm not sure of. What do you mean by
# encrypt plaintext again, ignoring parity bits,
# and what do you want to use to convert it to
# plaintext... probably base64encoding?
__END__
--
I'm not really a human, but I play one on earth.
http://zentara.net/japh.html
| |
| Andreas Moroder 2007-04-30, 6:58 pm |
| Hello,
I got this steps from
http://www.ecuoug.org/papers/Oracle...rdAlgorithm.pdf
> I'm a bit unclear about step 5, but it should be doable in Perl once
> you determine the EXACT steps you need to take. Here are some tips
> to maybe get you through the first four steps.
> This my be far off from what Oracle needs, but it seems to work
> for your first 4 steps. Some questions remain, like do you need a salt?
> What do you use to convert back to plaintext hash? Base64encode?
> What does "ignore parity bits" mean?
>
> You may want to ask this on http://perlmonks.org, where more
> saavy encryption and Oracle monks hang out. But make sure you
> can specify the EXACT steps needed. I'm sure it can be done.
>
> To be honest, I would assume that the Oracle designers have made this
> quite tricky to avoid hacking their passwords.
According to the document this is not true.
I will try your code later.
Thank you
Andreas
| |
|
|
| Andreas Moroder 2007-04-30, 6:58 pm |
| >
> I'm a bit unclear about step 5, but it should be doable in Perl once
> you determine the EXACT steps you need to take. Here are some tips
> to maybe get you through the first four steps.
> This my be far off from what Oracle needs, but it seems to work
> for your first 4 steps. Some questions remain, like do you need a salt?
> What do you use to convert back to plaintext hash? Base64encode?
Hello,
the hash is store d in hexadecimal format.
Bye
Andreas
|
|
|
|
|