Crypto()

59 views
Skip to first unread message

Mchurch

unread,
Nov 26, 2013, 5:05:01 AM11/26/13
to web...@googlegroups.com
Dear all, I'm a little bit lost with Crypto method.
I need authentication from a mobile app towards web2py.
If I'm not in wrong, web2py now uses sha512 as default to crypt auth user password.
From my iOS app I'm sending the password encrypted with the same Hash Algorithm sha512, because I don't want to send the password clear through the net
From web2py console I can do:

b='sha512$$83d97b71499bee6b9d42dee9d3a6e5d00ecc8c891346d25d1909b3aac9abaa0ad4864fe4eacf159cd3f4a0ad764178d014ac378dfffc5e4023f6dbcfb0992648'

where b is exactly my mobile password string that I'm sending to web2py trough "Json"

>>> b

'sha512$$83d97b71499bee6b9d42dee9d3a6e5d00ecc8c891346d25d1909b3aac9abaa0ad4864fe4eacf159cd3f4a0ad764178d014ac378dfffc5e4023f6dbcfb0992648'

>>> a= CRYPT(digest_alg='sha512',salt=False)('pippo')[0]

now ,if I do a==b, it returns True

The problem is that I'm not able to compare auth.user password with my mobile password!

Both are encrypted, with the same algorithm, but auth.login_bare(user,psw) returns alway false because it wants clear-password

The solution to me appears that I have to compare the two encrypted password, but may be on the wrong way.

Help please...

Marco

Jonathan Lundell

unread,
Nov 26, 2013, 10:40:58 AM11/26/13
to web2py
Briefly: you don't want to do that.

Why? In the scheme you propose, the hash effective becomes the password, and is stored as-if unhashed in the database, to be compared directly with what comes in over the wire. So if your database is compromised, the attacker can log into any account simply by presenting the password (hash) stored in the database. Compare that to the usual method, where the user transmits the password: the point of the hash is that the password cannot be reverse-engineered from the hash (if it's a good password!).

Protecting the password in flight is easy enough: use https.


Marco Dellachiesa

unread,
Nov 26, 2013, 11:00:34 AM11/26/13
to web...@googlegroups.com
Now I get the point!
Thank you very much Jonathan.
Marco

Sent from my iPad
> --
> Resources:
> - http://web2py.com
> - http://web2py.com/book (Documentation)
> - http://github.com/web2py/web2py (Source code)
> - https://code.google.com/p/web2py/issues/list (Report Issues)
> ---
> You received this message because you are subscribed to a topic in the Google Groups "web2py-users" group.
> To unsubscribe from this topic, visit https://groups.google.com/d/topic/web2py/tgIBbxzUBSA/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to web2py+un...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
Reply all
Reply to author
Forward
0 new messages