Re: SHA1 cracked .... What are the chances this will be addressed in LC?

Tue, 07 Mar 2017 08:07:25 -0800 


On 07/03/2017 15:28, Bob Sneidar via use-livecode wrote:

Thanks Peter. But then how will I know programmatically if the password is 
correct or not?


Hi Bob,

Here's a worked example of what I'm talking about.

                                      Peter

---------------------------------------------------------

/* Compute a hash-based message authentication code
using the SHA-1 hash.  This is broken; it should correctly
follow RFC 2104. */
private function hmacSha1 pKey, pMessage
   return sha1digest(pKey & sha1digest(pKey & pMessage))
end hmacSha1

/* Generate a 160-bit salt value suitable for use when
storing a password */
private function generateSalt
   return randomBytes(20)
end generateSalt

/* Convert the specified cleartext password string to an
secure string suitable for storage using the specified
salt, which should be a base 64-encoded string. */
private function securePassword pPasswordString, pSaltData
   local tPasswordData
   put textEncode(pPasswordString, "UTF-8") into tPasswordData
   return base64Encode(pSaltData) & comma & \
         base64Encode(hmacSha1(pSaltData, tPasswordData))
end securePassword

/* Get the salt part of a secured password string */
private function getSecurePasswordSalt pSecurePassword
   return base64Decode(item 1 of pSecurePassword)
end getSecurePasswordSalt

/* Store a new password.  Use this when a user creates
a new account or changes their password for any reason */
function storePassword pPasswordString
   return securePassword(pPasswordString, generateSalt())
end storePassword

/* Verify a password.  Use this when a user tries to log
in.  Returns true if the password is correct and false
otherwise. */
function verifyPassword pPasswordString, pSecurePassword
   local tSaltData, tTrialString
   put getSecurePasswordSalt(pSecurePassword) into tSaltData
   put securePassword(pPasswordString, tSaltData) into tTrialString
   return tTrialString is pSecurePassword
end verifyPassword

---------------------------------------------------------

private command _testAssert pDesc, pCondition
   if pCondition then
      put "ok -" && pDesc & return after msg
   else
      put "not ok -" && pDesc & return after msg
   end if
end _testAssert

command _testPasswordDemo
   local tSecured
   put storePassword("correct horse battery staple") into tSecured
   put "# Stored:" && tSecured & return into msg
   _testAssert "bad password", \
         not verifyPassword("hunter2", tSecured)
   _testAssert "good password", \
         verifyPassword("correct horse battery staple", tSecured)
end _testPasswordDemo

_______________________________________________
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription 
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode





























					Reply via email to