OFBiz › OFBiz - Dev

Comparing ofBiz Hashed Passwords in .NET

_‹ Previous Topic Next Topic _›

Classic

List

Threaded

5 messages Options

CGrantAnderson

Comparing ofBiz Hashed Passwords in .NET

I am working on an application that wants to leverage the ofBiz user logins to allow ofBiz users to automatically logon to another application developed in .NET ASP.NET. The ASP.NET application gets a login from the user and then accesses a copy of the ofBiz user login table to compare passwords for login validation. I have the .NET code creating a SHA-1 password hash but it does not compare properly to the encrypted passwords in ofBiz. I wrote some test Java code and determined that it's version of SHA-1 is the same as the .NET version hash. So it looks like a salt is being used but none of the ofBiz developers where I work can point out how to find the salt value or help me with this. I have looked through the login code and it looks like a straight SHA-1 hash using MessageDigest. But then the hashed passwords should match but they don't.

Can someone tell me what (and where) the salt value is that is being used? Or if I'm missing something here what it is? And possibly point me to where in the documentation this is covered (if it is)?

Thanks!

- Grant

CGrantAnderson

Comparing ofBiz Hashed Passwords in .NET

I am working on an application that wants to leverage the ofBiz user
logins to allow ofBiz users to automatically logon to another
application developed in .NET ASP.NET. The ASP.NET application gets a
login from the user and then accesses a copy of the ofBiz user login
table to compare passwords for login validation. I have the .NET code
creating a SHA-1 password hash but it does not compare properly to the
encrypted passwords in ofBiz. I wrote some test Java code and
determined that it's version of SHA-1 is the same as the .NET version
hash. So it looks like a salt is being used but none of the ofBiz
developers where I work can point out how to find the salt value or help
me with this. I have looked through the login code and it looks like a
straight SHA-1 hash using MessageDigest. But then the hashed passwords
should match but they don't.

Can someone tell me what (and where) the salt value is that is being
used? Or if I'm missing something here what it is? And possibly point
me to where in the documentation this is covered (if it is)?

Thanks!

- Grant

Adam Heath-2

Re: Comparing ofBiz Hashed Passwords in .NET

In reply to this post by CGrantAnderson

CGrantAnderson wrote:

> I am working on an application that wants to leverage the ofBiz user logins
> to allow ofBiz users to automatically logon to another application developed
> in .NET ASP.NET. The ASP.NET application gets a login from the user and
> then accesses a copy of the ofBiz user login table to compare passwords for
> login validation. I have the .NET code creating a SHA-1 password hash but
> it does not compare properly to the encrypted passwords in ofBiz. I wrote
> some test Java code and determined that it's version of SHA-1 is the same as
> the .NET version hash. So it looks like a salt is being used but none of
> the ofBiz developers where I work can point out how to find the salt value
> or help me with this. I have looked through the login code and it looks
> like a straight SHA-1 hash using MessageDigest. But then the hashed
> passwords should match but they don't.
>
> Can someone tell me what (and where) the salt value is that is being used?
> Or if I'm missing something here what it is? And possibly point me to where
> in the documentation this is covered (if it is)?

There is no salt in ofbiz passwords.

I have a patch that adds support for it, that is compatible with unix
crypt(3).

Scott Gray-2

Re: Comparing ofBiz Hashed Passwords in .NET

In reply to this post by CGrantAnderson

How old is the OFBiz instance? The hex encoding was messy a few years back which resulted in unexpected results but that's been fixed for a while now.

Regards
Scott

HotWax Media
http://www.hotwaxmedia.com

On 7/07/2010, at 10:55 AM, CGrantAnderson wrote:

>
> I am working on an application that wants to leverage the ofBiz user logins
> to allow ofBiz users to automatically logon to another application developed
> in .NET ASP.NET. The ASP.NET application gets a login from the user and
> then accesses a copy of the ofBiz user login table to compare passwords for
> login validation. I have the .NET code creating a SHA-1 password hash but
> it does not compare properly to the encrypted passwords in ofBiz. I wrote
> some test Java code and determined that it's version of SHA-1 is the same as
> the .NET version hash. So it looks like a salt is being used but none of
> the ofBiz developers where I work can point out how to find the salt value
> or help me with this. I have looked through the login code and it looks
> like a straight SHA-1 hash using MessageDigest. But then the hashed
> passwords should match but they don't.
>
> Can someone tell me what (and where) the salt value is that is being used?
> Or if I'm missing something here what it is? And possibly point me to where
> in the documentation this is covered (if it is)?
>
> Thanks!
>
> - Grant
> --
> View this message in context: http://ofbiz.135035.n4.nabble.com/Comparing-ofBiz-Hashed-Passwords-in-NET-tp2280296p2280296.html
> Sent from the OFBiz - Dev mailing list archive at Nabble.com.

smime.p7s (3K) Download Attachment

CGrantAnderson

Re: Comparing ofBiz Hashed Passwords in .NET

In reply to this post by CGrantAnderson

Solution found - Yes, the ofBiz version we are using is old and the
password hash hex encoding is indeed the older one with, ah, "custom",
hex encoding.

As an example for anyone who may in the future encounter this problem,
the password "ofbiz" looks like this with the old encoding:

47ca69ebb4bdc9ae0adec130880165d2cc05db1a

And this with standard SHA-1 encoding:

47B56994CBC2B6D10AA1BE30F70165ADB305A41A

The old code is in the HashCrypt.java file and the old version of the
function is called "getDigestHashOldFunnyHexEncode".

Thank you Scott!

And thank you Adam for answering the question about salting.

- Grant