Re: Crypt::CBC and verifying passwords

Geektron:

I have used Crypt::CBC with Crypt::Blowfish in an application I am currently working on. I found that the result produced by encrpyting the same value on successive occassions did not match.

It seems from your comments you are storing an unecrypted password and encrypting it for comparison. This won't work, well not if you are using Blowfish or similar. I think you would need to decrypt for comparison, thats where I ended up.

Mind you, I did not investigate in depth, I found the problem and had to make it work.

jdtoronto

Comment on Re: Crypt::CBC and verifying passwords

Replies are listed 'Best First'.
Re: Re: Crypt::CBC and verifying passwords by kutsu (Priest) on May 19, 2004 at 18:34 UTC
I had this same problem with blowfish and ended up needing to encrypt everything in the same file. The easiest way to do this was to create a module with two subs that handle encryption and comparision. I offer this untested code, which will hopefully point you in the right direction. Note I have not done any taint checking or etc. so this if very unsecure code, I'm also not saying this is a good idea just that it will work. Read more... (2 kB) "Cogito cogito ergo cogito sum - I think that I think, therefore I think that I am." Ambrose Bierce	[reply] [d/l]

Replies are listed 'Best First'.

Re: Re: Crypt::CBC and verifying passwords
by kutsu (Priest) on May 19, 2004 at 18:34 UTC

I had this same problem with blowfish and ended up needing to encrypt everything in the same file. The easiest way to do this was to create a module with two subs that handle encryption and comparision. I offer this untested code, which will hopefully point you in the right direction. Note I have not done any taint checking or etc. so this if very unsecure code, I'm also not saying this is a good idea just that it will work.