I'm looking at a site, and looking at the password param sent on a post request, it is some kind of hash/encoding. The password i entered was bigfella32, obviously this wasn't my actual password! Here is what it looks like:
80449f5b5bd63f79000d0840e8f5c636d49835a8aa05636479a5492d8d0c4b2ad57672fdb8f5deca4659bd37066be7ff4de237cc8dee594b35a965c52327901a9602ac167386025dcb898ec5598ea9f320451433965a987884ffeff790e45e00ca75947f8b7184db2c9c225e6b417982ef95cd28462ea4c30b957ccd62c7fce6
I thought it was sha256 because it is 256 chars long, but apparently sha256 only produces a 64 long char set. How can i tell what kind of encoding/hash is being used, and what is the encoding/hash being used.
Related
I'm curious about some basics of MD5 encryption I couldn't get from Google, Java questions here nor a dense law paper:
1-How to measure, in bytes, an MD5 hash string? And does it depends if the string is UNICODE or ANSI?
2-Is MD5 an assymetric algorythm?
Example: If my app talks (http) to a REST webservice using a key (MD5_128 hash string, ANSI made of 9 chars) to unencrypt received data, does that account for 9x8=72 bytes in an assymetric algorithm?
I'm using Windevs 25 in Windows, using functions like Encrypt and HashString, but I lack knowledge about encryption.
Edit: Not asnwered yet, but it seems like I need to know more about charsets before jumping to hashes and encryption. https://www.joelonsoftware.com/2003/10/08/the-absolute-minimum-every-software-developer-absolutely-positively-must-know-about-unicode-and-character-sets-no-excuses/
An MD5 hash is 128 bits, 16 bytes. The result is binary, not text, so it is neither "ANSI" nor "Unicode". Like all hashes, it is asymmetric, which should be obvious from the fact that you can hash inputs which are longer than 128 bits. Since it is asymmetric, you cannot "unencrypt" (decrypt) it. This is by design and intentional.
I have a doubt. It's regarding Base64 encoding of one particular String.
We have an application which allows REST WebServices to be executed after authorization of type Basic Authentication is successful.
I has set the password for a user USER_NAME with the password CP#5N0v22nD17RrV8f4.
From my system, using Postman/Advanced REST client, the request sent is processed successfully. But the same request fails when made most of the other systems using the same REST client.
When I set this password to another user, that user credentials is facing the same problem.
I noticed that the Base64 encoding Output Charset is the problem. But there is no method to change it in the REST clients (not in the most of the ready-made ones).
But why is this happening only for this particular password. I check with every other passwords and it works fine.
String: USER_NAME:CP#5N0v22nD17RrV8f4
UTF-8: VVNFUl9OQU1FOkNQQDVOMHYyMm5EMTdSclY4ZjTigIs=
Windows-1252: VVNFUl9OQU1FOkNQQDVOMHYyMm5EMTdSclY4ZjQ=
ASCII: VVNFUl9OQU1FOkNQQDVOMHYyMm5EMTdSclY4ZjQ=
Only for CP#5N0v22nD17RrV8f4 the UTF-8 output charset encoding in Base64 is giving a different result.
Using any other passwords, all the outputs are the same.
Please make me understand why CP#5N0v22nD17RrV8f4 is different from the rest of the strings.
Thanks in Advance
Balu
The string has a non breaking space at the end of the string.
I tested this using the following steps.
Decoded the UTF-8 string VVNFUl9OQU1FOkNQQDVOMHYyMm5EMTdSclY4ZjTigIs= at https://www.base64decode.org/
Copied the result to encode in UTF-8 at https://www.base64decode.org/, but this time pressed backspace once at the end of string. Gives me output VVNFUl9OQU1FOkNQQDVOMHYyMm5EMTdSclY4ZjQ=
You could also try typing the characters manually, and encoding.
On my NetBSD system, there is a password hash in master.passwd that looks like this:
$sha1$[5 numbers]$[8 letters]$[17 alpha numeric].[10 alpha numeric]
For privacy concerns I left out the actual values. Would someone be willing to explain the different parts of this? I was under the impression that SHA1 resulted in 20 bytes, so I was very confused about what part was the actual hash, and what part was the salt, and what part everything else was.
The relevant parts can be found in NetBSD src/lib/libcrypt.
For the format: crypt-sha1.c
The format of the encrypted password is:
$<tag>$<iterations>$<salt>$<digest>
where:
<tag> is "sha1"
<iterations> is an unsigned int identifying how many rounds
have been applied to <digest>. The number
should vary slightly for each password to make
it harder to generate a dictionary of
pre-computed hashes. See crypt_sha1_iterations.
<salt> up to 64 bytes of random data, 8 bytes is
currently considered more than enough.
<digest> the hashed password.
The digest is 160 bits = 20 bytes, but it is encoded using base64 (4 bytes for 3 source bytes) to 28 bytes (with one zero padding byte). See util.c for that.
I was wondering if there is a way to "test" to see if a particular string is encrypted or not.
I am using Crypt::CBC to encrypt a password with Rijndael.
As it stands my script has a "switch" that is either set as 0 or 1 that tells the script weather or not the password needs to be passed through the decrypt phase in order to be read.
I would like to eliminate that phase if I could.
The reason is I am trying to prevent the users of script from possibly prsenting the script with a situation where the password is encrypted but the "switch" was set to 0 meaning not encrypted because this would create a huge "trainwreck".
change your apps so passwords are only stored encrypted. confusion gone.
Rijndael has a block size of 128-bits so the output will always be a multiple of this.
If the encrypted passwords are hex-encoded then that will give you strings that are a multiple of 32 characters. In fact, with the IV added, the strings will always be at least 64 characters: 128 bits of IV followed by 128 bits of ciphertext block 1.
You could therefore look for strings of the right length that contain only [0-9a-f]. They are probably encrypted because I suspect few people can use a 64-character string of randomness as their real password.
If they're base64 encoded then the strings will be a different length, obviously.
This doesn't guarantee that you can always detect an encrypted password but it's probably not too bad.
Which symmetrical encryption algorithm to use to encrypt e-mail address(short message)? I would like to have ciphertext to be comparable in length to paintext.
According to Little known features: Symmetric encryption with PGP/GPG:
A little known feature of both PGP and
GPG is that they can also do symmetric
encryption. Just a passphrase is
needed- no public or private keys are
involved. It’s a quick and dirty way
to get strong encryption that even a
novice can use.
To encrypt a file with symmetric
encryption, the syntax is:
pgp --symmetric filename
gpg --symmetric filename
The result is a binary file with the
same name as the original and ".pgp"
or ".gpg" appended.
If the encrypted file must be pasted
into the body of an e-mail message
(instead of added as an attachment),
you’ll want to use the plain ASCII
form of output:
pgp --symmetric --armor filename
gpg --symmetric --armor filename
The result is a plain text file ending
in ".asc"
Decryption is performed using the
usual "-d" switch:
pgp -d filename
gpg -d filename
But I'm not sure this is what you're looking for. Maybe you can clarify your question.
If you really want to have the cipher text comparable in length to the email address, you can use a block cipher in a mode like CFB or OFB that allows encryption of one byte at a time.
However, I don't recommend it, because that gives an attacker a little information about what the message is (how long is the message?). Using an algorithm like 3DES or AES with 16-byte blocks in CBC mode with PKCS #5 padding, most email addresses will be encrypted in two blocks.
I see there is a bit of confusion about lengths of plaintext/ciphertext. Actually, those lengths are quite similar if you use a symmetric encryption algorithm.
Consider a block cipher (e.g. AES). It encrypts 128-bit blocks into 128-bit blocks. So if your plaintext is exactly 128 bits (or its multiple), AES in any mode of operation will produce the ciphertext with the same length. If your plaintext length is not a multiple of 128 bits, then it will get padded to the full block and the ciphertext will be slightly longer (by at most 127 bits). You still can avoid that by using some tricks like ciphertext stealing.
If you use a stream cipher, the encryption process is just XOR-ing bits (or bytes) of the plaintext with bits (or bytes) of the keystream and then the length of the ciphertext is by definition equal to the length of the plaintext.
To answer directly your question, if you don't need any specific format of the encrypted email, just use AES.
If you want the encrypted email to be also in the format of an email, you may want to check how Format-Preserving Encryption works.
#Bobby: ROT13 is NOT an encryption algorithm.
Symmetric block ciphers produce the same length as the input, in multiples of block size (usually 8 bytes or 16 bytes for AES). Because the output is always multiple of block sizes (in fact the output is always the same size as the input and the input must be multiple of block sizes) then you cannot know the original size of the plain text. Common encryption schemes solve this by adding a padding scheme, like PKCS, ISO 10126 or ANSI X923. These schemes place information about the original clear text length in the last block.
If the clear text size is multiple of 8 (16 for AES) then one more block is added to the encrypted text. If the original size is not multiple of block size, then the encrypted size will be rounded up to the next multiple block size.
To this you should add a salt value for each record. A salt (or initialization vector, to be correct) has the same size as a block. Usually is stored in front of the encrypted block.
And finaly you should sign the encrypted value for validation, so you should add a SHA digest, another 20 bytes, otherwise you cannot know for sure if the decrypted value is correct.
So the overall size is (considering AES): 16 bytes (salt) + (clear text size + 20(hash) ) + (16 - (clear text size + 20)%16).
So for john.doe#anydomain.com (lenght 22) the encrypted size will be 16+22+20+(16-10)=64. To decrypt you take the first 16 bytes as salt, decrypt the remaininf 48, the output is lenght 42, you digest SHA the 42-20 = 22 bytes and compare the digets with the last 20 bytes of the decrypted text for validation.
I know is maybe more than you bargained for, but every step in this scheme has a justification.
I would suggest looking into PGP.
To have cypher results comparable with plain text is not a good idea, having differents lenghts is a part of what encryption is about.
I will suggest you one of the most secure encryption algorithms today: AES
But forget about having comparable sizes!
ROT13 or a substitution cypher might work (keys can be changed or exchanged). Encryption with keeping the original text length is...not really that good.
Bobby