GaijinPunch has asked for the wisdom of the Perl Monks concerning the following question:

Monks

I set out on a task at the end of last week (didn't do any work on the weekend though) and actually asked here about an md5 encoded password field. After some poking around, it seems that the site uses a standard md5 javascript to encode the password (they actually included it in the HTML of another page). You can see the script here .

Assuming that the server-side generated challenge key is indeed random, I can always make my own random key, which takes a lot of work out of the task. However, I still need to run the password through their md5 algorithm. I'm hoping there's already a Perl mod that can handle this.

Any love? I'm in Hawaii, and it's been raining for weeks. I need some sunshine!

Replies are listed 'Best First'.
Re: Cookie issue (client side)
by dragonchild (Archbishop) on Mar 27, 2006 at 01:32 UTC
[reply]
      I looked at a few of those, but this particular javascript uses the value of challenge against the string, no? I do not see this in Digest::MD5, or the others.
[reply]
        Your link to the javascript MD5 routine is broken, (at this moment anyways). I'm wondering if you are not getting the concept of challenge and salt confused. In MD5 based password crypt, a salt value is used to generate the hash, and you are referring to the " value of the challenge being used against the string".

        I'm not going thru the mental aggravation of trying to hack their methods, but you have those 2 values to play with. The md5 salt, and the password, additionally it maybe be base64 encoded( which just adds another level of complication).

        It would seem to me, that their likely method, would be to send you a custom login page, with a random salt built-in to the html javascript. It then asks you to enter your password, which the javascript hashes with the salt, ( then may possibly base64encode it). It sends this value, and checks if it matches the MD5 crypt hash on their end, which uses the same salt. The salt may be hidden in a hidden field or even a cookie.

        Anyways, all those factors would make it an all day effort to hack, unless you get lucky and spot it quickly.

        I'm not really a human, but I play one on earth. flash japh
[reply]
Re: MD5 issue (client side)
by pajout (Curate) on Mar 27, 2006 at 10:32 UTC
    Slightly OT:
    I cannot exactly know, what do you encrypt using md5 on both client and server side because I cannot download your announced javascript. But I think that using md5 or other hash-functions is not necessary and does not enhance the safety in this case - when you are thinkinkg about some random strings serving the same role as passwords, the hashed random strings have the same role... The only one tip is to use https to avoid the man in the middle.
[reply]
      Hey guys: Thanks for the replies. Yes, I was not very fimiliar w/ how md5 authentication worked. I did figure it out though. Generally, I do what the javascript did -- there's about 5 lines of importance. In a nutshell, MD5(MD5(password) + challenge) or something like that.

      I am able to get a proper password based on the random challenge key.
[reply]

Back to Seekers of Perl Wisdom