Fwd: Using OSCommerce Encrypted Password in OfBiz
Locked
Fwd: Using OSCommerce Encrypted Password in OfBiz
 
|
Originally posted on dev.
Follow up question to Joel's original post. Do any of you security or encryption gurus out there know if pw's encrypted using MD5 in osCommerce should "automagically" work using MD5 encryption in OfBiz? We imported the encrypted pw and switched security.properties to use MD5 instead of SHA. The pw's do not work. Vince Clark Global Era The Freedom of Open Source [hidden email] (303) 493-6723 ----- Forwarded Message ----- From: "Jacques Le Roux" <[hidden email]> To: [hidden email] Sent: Thursday, November 1, 2007 12:46:42 AM (GMT-0700) America/Chihuahua Subject: Re: Using OSCommerce Encrypted Password in OfBiz Please use user ML for such questions http://docs.ofbiz.org/display/OFBADMIN/Mailing+Lists Check password.encrypt.hash.type in security.properties, it's SHA by default Jacques De : "Joel Blouin" <[hidden email]> > We have over 60000 customers in OSCommerce that we imported into OfBiz along > with their existing MD5 encrypted passwords, so they can login with their > current password. The import was the easy part. We configured OfBiz to > use the same salt and MD5 encryption as OSCommerce, but the passwords do not > work. What did we miss? Any guidance on this is greatly appreciated. > > > > Thanks, > > Joel > > > > |
Re: Using OSCommerce Encrypted Password in OfBiz
Administrator
|
AFAIK MD5 is MD5 (but I'm far from being an ecnryption guru ;o). Perhaps OScommerce MD5 is salted (or the peculiar data that you
import) ? (OFBIz's MD5 is not yet salted, should be - soon? - though) Jacques ----- Message d'origine ----- De : "Vince M. Clark" <[hidden email]> À : "user" <[hidden email]> Envoyé : jeudi 1 novembre 2007 14:57 Objet : Fwd: Using OSCommerce Encrypted Password in OfBiz > Originally posted on dev. > > Follow up question to Joel's original post. Do any of you security or encryption gurus out there know if pw's encrypted using MD5 in osCommerce should "automagically" work using MD5 encryption in OfBiz? > > We imported the encrypted pw and switched security.properties to use MD5 instead of SHA. The pw's do not work. > > Vince Clark > Global Era > The Freedom of Open Source > [hidden email] > (303) 493-6723 > > ----- Forwarded Message ----- > From: "Jacques Le Roux" <[hidden email]> > To: [hidden email] > Sent: Thursday, November 1, 2007 12:46:42 AM (GMT-0700) America/Chihuahua > Subject: Re: Using OSCommerce Encrypted Password in OfBiz > > Please use user ML for such questions http://docs.ofbiz.org/display/OFBADMIN/Mailing+Lists > > Check password.encrypt.hash.type in security.properties, it's SHA by default > > Jacques > > De : "Joel Blouin" <[hidden email]> > > We have over 60000 customers in OSCommerce that we imported into OfBiz along > > with their existing MD5 encrypted passwords, so they can login with their > > current password. The import was the easy part. We configured OfBiz to > > use the same salt and MD5 encryption as OSCommerce, but the passwords do not > > work. What did we miss? Any guidance on this is greatly appreciated. > > > > > > > > Thanks, > > > > Joel > > > > > > > > > |
|
|
Check the length of the password hash in osCommerce. It could be 35
characters, 2 characters longer than MD5's 32 (with a ":" in between). Next, look into osCommerce password-generating codes. I believe osCommerce password hashes are salted. There's no way you can easily reverse-engineer those salted hashes into plain MD5 hashes. That's the whole point of salting! To prevent an easy dictionary attack. (Note that the salt has to be added BEFORE the MD5 hashing, or you'll end up with <normal_MD5_hash><some_silly_extra_salt_in_plain_view>. In that case, you can just chop off the appended unmixed salt and do a dictionary attack. I don't think the osCommerce salting is that silly. So, remember the simple cooking rule. Salt to taste, and mix well!) If you have tons of money and loads of clustered computers, you could attempt to undo those salted hashes. Or... if you have a quantum computer... who knows? :) Jonathon Jacques Le Roux wrote: > AFAIK MD5 is MD5 (but I'm far from being an ecnryption guru ;o). Perhaps OScommerce MD5 is salted (or the peculiar data that you > import) ? (OFBIz's MD5 is not yet salted, should be - soon? - though) > > Jacques > > ----- Message d'origine ----- > De : "Vince M. Clark" <[hidden email]> > À : "user" <[hidden email]> > Envoyé : jeudi 1 novembre 2007 14:57 > Objet : Fwd: Using OSCommerce Encrypted Password in OfBiz > > > >> Originally posted on dev. >> >> Follow up question to Joel's original post. Do any of you security or encryption gurus out there know if pw's encrypted using MD5 >> > in osCommerce should "automagically" work using MD5 encryption in OfBiz? > >> We imported the encrypted pw and switched security.properties to use MD5 instead of SHA. The pw's do not work. >> >> Vince Clark >> Global Era >> The Freedom of Open Source >> [hidden email] >> (303) 493-6723 >> >> ----- Forwarded Message ----- >> From: "Jacques Le Roux" <[hidden email]> >> To: [hidden email] >> Sent: Thursday, November 1, 2007 12:46:42 AM (GMT-0700) America/Chihuahua >> Subject: Re: Using OSCommerce Encrypted Password in OfBiz >> >> Please use user ML for such questions http://docs.ofbiz.org/display/OFBADMIN/Mailing+Lists >> >> Check password.encrypt.hash.type in security.properties, it's SHA by default >> >> Jacques >> >> De : "Joel Blouin" <[hidden email]> >> >>> We have over 60000 customers in OSCommerce that we imported into OfBiz along >>> with their existing MD5 encrypted passwords, so they can login with their >>> current password. The import was the easy part. We configured OfBiz to >>> use the same salt and MD5 encryption as OSCommerce, but the passwords do not >>> work. What did we miss? Any guidance on this is greatly appreciated. >>> >>> >>> >>> Thanks, >>> >>> Joel >>> >>> >>> >>> >>> > > > |
Re: Using OSCommerce Encrypted Password in OfBiz
|
|
Thank you Jonathon. Your information is very helpful.
Vince Clark Global Era The Freedom of Open Source [hidden email] (303) 493-6723 ----- Original Message ----- From: "Jonathon -- Improov" <[hidden email]> To: [hidden email] Sent: Thursday, November 1, 2007 9:58:00 AM (GMT-0700) America/Denver Subject: Re: Using OSCommerce Encrypted Password in OfBiz Check the length of the password hash in osCommerce. It could be 35 characters, 2 characters longer than MD5's 32 (with a ":" in between). Next, look into osCommerce password-generating codes. I believe osCommerce password hashes are salted. There's no way you can easily reverse-engineer those salted hashes into plain MD5 hashes. That's the whole point of salting! To prevent an easy dictionary attack. (Note that the salt has to be added BEFORE the MD5 hashing, or you'll end up with <normal_MD5_hash><some_silly_extra_salt_in_plain_view>. In that case, you can just chop off the appended unmixed salt and do a dictionary attack. I don't think the osCommerce salting is that silly. So, remember the simple cooking rule. Salt to taste, and mix well!) If you have tons of money and loads of clustered computers, you could attempt to undo those salted hashes. Or... if you have a quantum computer... who knows? :) Jonathon Jacques Le Roux wrote: > AFAIK MD5 is MD5 (but I'm far from being an ecnryption guru ;o). Perhaps OScommerce MD5 is salted (or the peculiar data that you > import) ? (OFBIz's MD5 is not yet salted, should be - soon? - though) > > Jacques > > ----- Message d'origine ----- > De : "Vince M. Clark" <[hidden email]> > À : "user" <[hidden email]> > Envoyé : jeudi 1 novembre 2007 14:57 > Objet : Fwd: Using OSCommerce Encrypted Password in OfBiz > > > >> Originally posted on dev. >> >> Follow up question to Joel's original post. Do any of you security or encryption gurus out there know if pw's encrypted using MD5 >> > in osCommerce should "automagically" work using MD5 encryption in OfBiz? > >> We imported the encrypted pw and switched security.properties to use MD5 instead of SHA. The pw's do not work. >> >> Vince Clark >> Global Era >> The Freedom of Open Source >> [hidden email] >> (303) 493-6723 >> >> ----- Forwarded Message ----- >> From: "Jacques Le Roux" <[hidden email]> >> To: [hidden email] >> Sent: Thursday, November 1, 2007 12:46:42 AM (GMT-0700) America/Chihuahua >> Subject: Re: Using OSCommerce Encrypted Password in OfBiz >> >> Please use user ML for such questions http://docs.ofbiz.org/display/OFBADMIN/Mailing+Lists >> >> Check password.encrypt.hash.type in security.properties, it's SHA by default >> >> Jacques >> >> De : "Joel Blouin" <[hidden email]> >> >>> We have over 60000 customers in OSCommerce that we imported into OfBiz along >>> with their existing MD5 encrypted passwords, so they can login with their >>> current password. The import was the easy part. We configured OfBiz to >>> use the same salt and MD5 encryption as OSCommerce, but the passwords do not >>> work. What did we miss? Any guidance on this is greatly appreciated. >>> >>> >>> >>> Thanks, >>> >>> Joel >>> >>> >>> >>> >>> > > > |
Re: Using OSCommerce Encrypted Password in OfBiz
|
|
In reply to this post by jonwimp
pw has a : with two more characters. So it is salted.
Is it possible to use the same salt in OfBiz as was used in osCommerce? Is it as simple as bring over a key or is there code to write? Vince Clark Global Era The Freedom of Open Source [hidden email] (303) 493-6723 ----- Original Message ----- From: "Jonathon -- Improov" <[hidden email]> To: [hidden email] Sent: Thursday, November 1, 2007 9:58:00 AM (GMT-0700) America/Denver Subject: Re: Using OSCommerce Encrypted Password in OfBiz Check the length of the password hash in osCommerce. It could be 35 characters, 2 characters longer than MD5's 32 (with a ":" in between). Next, look into osCommerce password-generating codes. I believe osCommerce password hashes are salted. There's no way you can easily reverse-engineer those salted hashes into plain MD5 hashes. That's the whole point of salting! To prevent an easy dictionary attack. (Note that the salt has to be added BEFORE the MD5 hashing, or you'll end up with <normal_MD5_hash><some_silly_extra_salt_in_plain_view>. In that case, you can just chop off the appended unmixed salt and do a dictionary attack. I don't think the osCommerce salting is that silly. So, remember the simple cooking rule. Salt to taste, and mix well!) If you have tons of money and loads of clustered computers, you could attempt to undo those salted hashes. Or... if you have a quantum computer... who knows? :) Jonathon Jacques Le Roux wrote: > AFAIK MD5 is MD5 (but I'm far from being an ecnryption guru ;o). Perhaps OScommerce MD5 is salted (or the peculiar data that you > import) ? (OFBIz's MD5 is not yet salted, should be - soon? - though) > > Jacques > > ----- Message d'origine ----- > De : "Vince M. Clark" <[hidden email]> > À : "user" <[hidden email]> > Envoyé : jeudi 1 novembre 2007 14:57 > Objet : Fwd: Using OSCommerce Encrypted Password in OfBiz > > > >> Originally posted on dev. >> >> Follow up question to Joel's original post. Do any of you security or encryption gurus out there know if pw's encrypted using MD5 >> > in osCommerce should "automagically" work using MD5 encryption in OfBiz? > >> We imported the encrypted pw and switched security.properties to use MD5 instead of SHA. The pw's do not work. >> >> Vince Clark >> Global Era >> The Freedom of Open Source >> [hidden email] >> (303) 493-6723 >> >> ----- Forwarded Message ----- >> From: "Jacques Le Roux" <[hidden email]> >> To: [hidden email] >> Sent: Thursday, November 1, 2007 12:46:42 AM (GMT-0700) America/Chihuahua >> Subject: Re: Using OSCommerce Encrypted Password in OfBiz >> >> Please use user ML for such questions http://docs.ofbiz.org/display/OFBADMIN/Mailing+Lists >> >> Check password.encrypt.hash.type in security.properties, it's SHA by default >> >> Jacques >> >> De : "Joel Blouin" <[hidden email]> >> >>> We have over 60000 customers in OSCommerce that we imported into OfBiz along >>> with their existing MD5 encrypted passwords, so they can login with their >>> current password. The import was the easy part. We configured OfBiz to >>> use the same salt and MD5 encryption as OSCommerce, but the passwords do not >>> work. What did we miss? Any guidance on this is greatly appreciated. >>> >>> >>> >>> Thanks, >>> >>> Joel >>> >>> >>> >>> >>> > > > |
Re: Using OSCommerce Encrypted Password in OfBiz
|
|
This trick is that in OFBiz we haven't decided on a salt string for the entire server (or per database) or a salt string per record. Per server is probably adequate, IMO, and then it would just sit in a config file. Either way it hasn't been coded up (that I'm aware of anyway) so you'd have to make a small code change, should be pretty trivial though (like an hour to implement and test the whole thing, including the config file). -David On Nov 1, 2007, at 12:08 PM, Vince M. Clark wrote: > pw has a : with two more characters. So it is salted. > > Is it possible to use the same salt in OfBiz as was used in > osCommerce? Is it as simple as bring over a key or is there code to > write? > > Vince Clark > Global Era > The Freedom of Open Source > [hidden email] > (303) 493-6723 > > ----- Original Message ----- > From: "Jonathon -- Improov" <[hidden email]> > To: [hidden email] > Sent: Thursday, November 1, 2007 9:58:00 AM (GMT-0700) America/Denver > Subject: Re: Using OSCommerce Encrypted Password in OfBiz > > Check the length of the password hash in osCommerce. It could be 35 > characters, 2 characters longer than MD5's 32 (with a ":" in between). > > Next, look into osCommerce password-generating codes. I believe > osCommerce password hashes are salted. > > There's no way you can easily reverse-engineer those salted hashes > into > plain MD5 hashes. That's the whole point of salting! To prevent an > easy > dictionary attack. > > (Note that the salt has to be added BEFORE the MD5 hashing, or you'll > end up with <normal_MD5_hash><some_silly_extra_salt_in_plain_view>. In > that case, you can just chop off the appended unmixed salt and do a > dictionary attack. I don't think the osCommerce salting is that silly. > So, remember the simple cooking rule. Salt to taste, and mix well!) > > If you have tons of money and loads of clustered computers, you could > attempt to undo those salted hashes. Or... if you have a quantum > computer... who knows? :) > > Jonathon > > Jacques Le Roux wrote: >> AFAIK MD5 is MD5 (but I'm far from being an ecnryption guru ;o). >> Perhaps OScommerce MD5 is salted (or the peculiar data that you >> import) ? (OFBIz's MD5 is not yet salted, should be - soon? - though) >> >> Jacques >> >> ----- Message d'origine ----- >> De : "Vince M. Clark" <[hidden email]> >> À : "user" <[hidden email]> >> Envoyé : jeudi 1 novembre 2007 14:57 >> Objet : Fwd: Using OSCommerce Encrypted Password in OfBiz >> >> >> >>> Originally posted on dev. >>> >>> Follow up question to Joel's original post. Do any of you security >>> or encryption gurus out there know if pw's encrypted using MD5 >>> >> in osCommerce should "automagically" work using MD5 encryption in >> OfBiz? >> >>> We imported the encrypted pw and switched security.properties to >>> use MD5 instead of SHA. The pw's do not work. >>> >>> Vince Clark >>> Global Era >>> The Freedom of Open Source >>> [hidden email] >>> (303) 493-6723 >>> >>> ----- Forwarded Message ----- >>> From: "Jacques Le Roux" <[hidden email]> >>> To: [hidden email] >>> Sent: Thursday, November 1, 2007 12:46:42 AM (GMT-0700) America/ >>> Chihuahua >>> Subject: Re: Using OSCommerce Encrypted Password in OfBiz >>> >>> Please use user ML for such questions http://docs.ofbiz.org/display/OFBADMIN/Mailing+Lists >>> >>> Check password.encrypt.hash.type in security.properties, it's SHA >>> by default >>> >>> Jacques >>> >>> De : "Joel Blouin" <[hidden email]> >>> >>>> We have over 60000 customers in OSCommerce that we imported into >>>> OfBiz along >>>> with their existing MD5 encrypted passwords, so they can login >>>> with their >>>> current password. The import was the easy part. We configured >>>> OfBiz to >>>> use the same salt and MD5 encryption as OSCommerce, but the >>>> passwords do not >>>> work. What did we miss? Any guidance on this is greatly >>>> appreciated. >>>> >>>> >>>> >>>> Thanks, >>>> >>>> Joel >>>> >>>> >>>> >>>> >>>> >> >> >> > |
smime.p7s (3K) |
|
In reply to this post by Vince Clark
Vince,
You could refactor the "password generating and checking" portions of OFBiz into a pluggable structure, so that you can plug-in any custom methods for password handling. Yes, it is possible to use the same salt and same hashes in OFBiz. Just make sure you plug-in the password handling algo that is also used in osCommerce. You still won't be able to know what passwords those hashes translates to. But your users (who entered those passwords) will know those passwords. If they enter those passwords into OFBiz, and your OFBiz has the correct password handling plug-in, OFBiz will be able to recognize those passwords entered. Jonathon Vince M. Clark wrote: > pw has a : with two more characters. So it is salted. > > Is it possible to use the same salt in OfBiz as was used in osCommerce? Is it as simple as bring over a key or is there code to write? > > Vince Clark > Global Era > The Freedom of Open Source > [hidden email] > (303) 493-6723 > > ----- Original Message ----- > From: "Jonathon -- Improov" <[hidden email]> > To: [hidden email] > Sent: Thursday, November 1, 2007 9:58:00 AM (GMT-0700) America/Denver > Subject: Re: Using OSCommerce Encrypted Password in OfBiz > > Check the length of the password hash in osCommerce. It could be 35 > characters, 2 characters longer than MD5's 32 (with a ":" in between). > > Next, look into osCommerce password-generating codes. I believe > osCommerce password hashes are salted. > > There's no way you can easily reverse-engineer those salted hashes into > plain MD5 hashes. That's the whole point of salting! To prevent an easy > dictionary attack. > > (Note that the salt has to be added BEFORE the MD5 hashing, or you'll > end up with <normal_MD5_hash><some_silly_extra_salt_in_plain_view>. In > that case, you can just chop off the appended unmixed salt and do a > dictionary attack. I don't think the osCommerce salting is that silly. > So, remember the simple cooking rule. Salt to taste, and mix well!) > > If you have tons of money and loads of clustered computers, you could > attempt to undo those salted hashes. Or... if you have a quantum > computer... who knows? :) > > Jonathon > > Jacques Le Roux wrote: > >> AFAIK MD5 is MD5 (but I'm far from being an ecnryption guru ;o). Perhaps OScommerce MD5 is salted (or the peculiar data that you >> import) ? (OFBIz's MD5 is not yet salted, should be - soon? - though) >> >> Jacques >> >> ----- Message d'origine ----- >> De : "Vince M. Clark" <[hidden email]> >> À : "user" <[hidden email]> >> Envoyé : jeudi 1 novembre 2007 14:57 >> Objet : Fwd: Using OSCommerce Encrypted Password in OfBiz >> >> >> >> >>> Originally posted on dev. >>> >>> Follow up question to Joel's original post. Do any of you security or encryption gurus out there know if pw's encrypted using MD5 >>> >>> >> in osCommerce should "automagically" work using MD5 encryption in OfBiz? >> >> >>> We imported the encrypted pw and switched security.properties to use MD5 instead of SHA. The pw's do not work. >>> >>> Vince Clark >>> Global Era >>> The Freedom of Open Source >>> [hidden email] >>> (303) 493-6723 >>> >>> ----- Forwarded Message ----- >>> From: "Jacques Le Roux" <[hidden email]> >>> To: [hidden email] >>> Sent: Thursday, November 1, 2007 12:46:42 AM (GMT-0700) America/Chihuahua >>> Subject: Re: Using OSCommerce Encrypted Password in OfBiz >>> >>> Please use user ML for such questions http://docs.ofbiz.org/display/OFBADMIN/Mailing+Lists >>> >>> Check password.encrypt.hash.type in security.properties, it's SHA by default >>> >>> Jacques >>> >>> De : "Joel Blouin" <[hidden email]> >>> >>> >>>> We have over 60000 customers in OSCommerce that we imported into OfBiz along >>>> with their existing MD5 encrypted passwords, so they can login with their >>>> current password. The import was the easy part. We configured OfBiz to >>>> use the same salt and MD5 encryption as OSCommerce, but the passwords do not >>>> work. What did we miss? Any guidance on this is greatly appreciated. >>>> >>>> >>>> >>>> Thanks, >>>> >>>> Joel >>>> >>>> >>>> >>>> >>>> >>>> >> >> > > > > ------------------------------------------------------------------------ > > No virus found in this incoming message. > Checked by AVG Free Edition. > Version: 7.5.503 / Virus Database: 269.15.18/1104 - Release Date: 11/1/2007 6:47 PM > |
Re: Using OSCommerce Encrypted Password in OfBiz
|
|
Jonathon, thanks for your reply. This is consistent with what Hans has told me. We would need to plug in the osCommerce C library if we want to use existing osCommerce pw's.
David - I think your recommendation doesn't take this into consideration. We MUST be able to use existing osCommerce pw's. According to Jonathon's follow up to this post we would still have to "plug in" the osCommerce encryption algorithm in order to use any pw's already encrypted from osCommerce. I believe your solution would only address using MD5 for encrypting new values. So it still doesn't address our issue of moving users (50,000+) to a new system. Is this correct, or are you suggesting the changes you outlined would also work with existing encrypted pw's from osCommerce. Vince Clark Global Era The Freedom of Open Source [hidden email] (303) 493-6723 ----- Original Message ----- From: "Jonathon -- Improov" <[hidden email]> To: [hidden email] Sent: Thursday, November 1, 2007 9:19:10 PM (GMT-0700) America/Denver Subject: Re: Using OSCommerce Encrypted Password in OfBiz Vince, You could refactor the "password generating and checking" portions of OFBiz into a pluggable structure, so that you can plug-in any custom methods for password handling. Yes, it is possible to use the same salt and same hashes in OFBiz. Just make sure you plug-in the password handling algo that is also used in osCommerce. You still won't be able to know what passwords those hashes translates to. But your users (who entered those passwords) will know those passwords. If they enter those passwords into OFBiz, and your OFBiz has the correct password handling plug-in, OFBiz will be able to recognize those passwords entered. Jonathon Vince M. Clark wrote: > pw has a : with two more characters. So it is salted. > > Is it possible to use the same salt in OfBiz as was used in osCommerce? Is it as simple as bring over a key or is there code to write? > > Vince Clark > Global Era > The Freedom of Open Source > [hidden email] > (303) 493-6723 > > ----- Original Message ----- > From: "Jonathon -- Improov" <[hidden email]> > To: [hidden email] > Sent: Thursday, November 1, 2007 9:58:00 AM (GMT-0700) America/Denver > Subject: Re: Using OSCommerce Encrypted Password in OfBiz > > Check the length of the password hash in osCommerce. It could be 35 > characters, 2 characters longer than MD5's 32 (with a ":" in between). > > Next, look into osCommerce password-generating codes. I believe > osCommerce password hashes are salted. > > There's no way you can easily reverse-engineer those salted hashes into > plain MD5 hashes. That's the whole point of salting! To prevent an easy > dictionary attack. > > (Note that the salt has to be added BEFORE the MD5 hashing, or you'll > end up with <normal_MD5_hash><some_silly_extra_salt_in_plain_view>. In > that case, you can just chop off the appended unmixed salt and do a > dictionary attack. I don't think the osCommerce salting is that silly. > So, remember the simple cooking rule. Salt to taste, and mix well!) > > If you have tons of money and loads of clustered computers, you could > attempt to undo those salted hashes. Or... if you have a quantum > computer... who knows? :) > > Jonathon > > Jacques Le Roux wrote: > >> AFAIK MD5 is MD5 (but I'm far from being an ecnryption guru ;o). Perhaps OScommerce MD5 is salted (or the peculiar data that you >> import) ? (OFBIz's MD5 is not yet salted, should be - soon? - though) >> >> Jacques >> >> ----- Message d'origine ----- >> De : "Vince M. Clark" <[hidden email]> >> À : "user" <[hidden email]> >> Envoyé : jeudi 1 novembre 2007 14:57 >> Objet : Fwd: Using OSCommerce Encrypted Password in OfBiz >> >> >> >> >>> Originally posted on dev. >>> >>> Follow up question to Joel's original post. Do any of you security or encryption gurus out there know if pw's encrypted using MD5 >>> >>> >> in osCommerce should "automagically" work using MD5 encryption in OfBiz? >> >> >>> We imported the encrypted pw and switched security.properties to use MD5 instead of SHA. The pw's do not work. >>> >>> Vince Clark >>> Global Era >>> The Freedom of Open Source >>> [hidden email] >>> (303) 493-6723 >>> >>> ----- Forwarded Message ----- >>> From: "Jacques Le Roux" <[hidden email]> >>> To: [hidden email] >>> Sent: Thursday, November 1, 2007 12:46:42 AM (GMT-0700) America/Chihuahua >>> Subject: Re: Using OSCommerce Encrypted Password in OfBiz >>> >>> Please use user ML for such questions http://docs.ofbiz.org/display/OFBADMIN/Mailing+Lists >>> >>> Check password.encrypt.hash.type in security.properties, it's SHA by default >>> >>> Jacques >>> >>> De : "Joel Blouin" <[hidden email]> >>> >>> >>>> We have over 60000 customers in OSCommerce that we imported into OfBiz along >>>> with their existing MD5 encrypted passwords, so they can login with their >>>> current password. The import was the easy part. We configured OfBiz to >>>> use the same salt and MD5 encryption as OSCommerce, but the passwords do not >>>> work. What did we miss? Any guidance on this is greatly appreciated. >>>> >>>> >>>> >>>> Thanks, >>>> >>>> Joel >>>> >>>> >>>> >>>> >>>> >>>> >> >> > > > > ------------------------------------------------------------------------ > > No virus found in this incoming message. > Checked by AVG Free Edition. > Version: 7.5.503 / Virus Database: 269.15.18/1104 - Release Date: 11/1/2007 6:47 PM > |
Re: Using OSCommerce Encrypted Password in OfBiz
|
|
I know this is a left handed way to accomplish this.
If you have a one time service that send emails with a new temporary password then have the update their password as a security measure you might save your self a lot of trouble. Vince M. Clark sent the following on 11/5/2007 11:05 AM: > Jonathon, thanks for your reply. This is consistent with what Hans has told me. We would need to plug in the osCommerce C library if we want to use existing osCommerce pw's. > > David - I think your recommendation doesn't take this into consideration. We MUST be able to use existing osCommerce pw's. According to Jonathon's follow up to this post we would still have to "plug in" the osCommerce encryption algorithm in order to use any pw's already encrypted from osCommerce. I believe your solution would only address using MD5 for encrypting new values. So it still doesn't address our issue of moving users (50,000+) to a new system. > > Is this correct, or are you suggesting the changes you outlined would also work with existing encrypted pw's from osCommerce. > > Vince Clark > Global Era > The Freedom of Open Source > [hidden email] > (303) 493-6723 > > ----- Original Message ----- > From: "Jonathon -- Improov" <[hidden email]> > To: [hidden email] > Sent: Thursday, November 1, 2007 9:19:10 PM (GMT-0700) America/Denver > Subject: Re: Using OSCommerce Encrypted Password in OfBiz > > Vince, > > You could refactor the "password generating and checking" portions of > OFBiz into a pluggable structure, so that you can plug-in any custom > methods for password handling. > > Yes, it is possible to use the same salt and same hashes in OFBiz. Just > make sure you plug-in the password handling algo that is also used in > osCommerce. > > You still won't be able to know what passwords those hashes translates > to. But your users (who entered those passwords) will know those > passwords. If they enter those passwords into OFBiz, and your OFBiz has > the correct password handling plug-in, OFBiz will be able to recognize > those passwords entered. > > Jonathon > > Vince M. Clark wrote: >> pw has a : with two more characters. So it is salted. >> >> Is it possible to use the same salt in OfBiz as was used in osCommerce? Is it as simple as bring over a key or is there code to write? >> >> Vince Clark >> Global Era >> The Freedom of Open Source >> [hidden email] >> (303) 493-6723 >> >> ----- Original Message ----- >> From: "Jonathon -- Improov" <[hidden email]> >> To: [hidden email] >> Sent: Thursday, November 1, 2007 9:58:00 AM (GMT-0700) America/Denver >> Subject: Re: Using OSCommerce Encrypted Password in OfBiz >> >> Check the length of the password hash in osCommerce. It could be 35 >> characters, 2 characters longer than MD5's 32 (with a ":" in between). >> >> Next, look into osCommerce password-generating codes. I believe >> osCommerce password hashes are salted. >> >> There's no way you can easily reverse-engineer those salted hashes into >> plain MD5 hashes. That's the whole point of salting! To prevent an easy >> dictionary attack. >> >> (Note that the salt has to be added BEFORE the MD5 hashing, or you'll >> end up with <normal_MD5_hash><some_silly_extra_salt_in_plain_view>. In >> that case, you can just chop off the appended unmixed salt and do a >> dictionary attack. I don't think the osCommerce salting is that silly. >> So, remember the simple cooking rule. Salt to taste, and mix well!) >> >> If you have tons of money and loads of clustered computers, you could >> attempt to undo those salted hashes. Or... if you have a quantum >> computer... who knows? :) >> >> Jonathon >> >> Jacques Le Roux wrote: >> >>> AFAIK MD5 is MD5 (but I'm far from being an ecnryption guru ;o). Perhaps OScommerce MD5 is salted (or the peculiar data that you >>> import) ? (OFBIz's MD5 is not yet salted, should be - soon? - though) >>> >>> Jacques >>> >>> ----- Message d'origine ----- >>> De : "Vince M. Clark" <[hidden email]> >>> À : "user" <[hidden email]> >>> Envoyé : jeudi 1 novembre 2007 14:57 >>> Objet : Fwd: Using OSCommerce Encrypted Password in OfBiz >>> >>> >>> >>> >>>> Originally posted on dev. >>>> >>>> Follow up question to Joel's original post. Do any of you security or encryption gurus out there know if pw's encrypted using MD5 >>>> >>>> >>> in osCommerce should "automagically" work using MD5 encryption in OfBiz? >>> >>> >>>> We imported the encrypted pw and switched security.properties to use MD5 instead of SHA. The pw's do not work. >>>> >>>> Vince Clark >>>> Global Era >>>> The Freedom of Open Source >>>> [hidden email] >>>> (303) 493-6723 >>>> >>>> ----- Forwarded Message ----- >>>> From: "Jacques Le Roux" <[hidden email]> >>>> To: [hidden email] >>>> Sent: Thursday, November 1, 2007 12:46:42 AM (GMT-0700) America/Chihuahua >>>> Subject: Re: Using OSCommerce Encrypted Password in OfBiz >>>> >>>> Please use user ML for such questions http://docs.ofbiz.org/display/OFBADMIN/Mailing+Lists >>>> >>>> Check password.encrypt.hash.type in security.properties, it's SHA by default >>>> >>>> Jacques >>>> >>>> De : "Joel Blouin" <[hidden email]> >>>> >>>> >>>>> We have over 60000 customers in OSCommerce that we imported into OfBiz along >>>>> with their existing MD5 encrypted passwords, so they can login with their >>>>> current password. The import was the easy part. We configured OfBiz to >>>>> use the same salt and MD5 encryption as OSCommerce, but the passwords do not >>>>> work. What did we miss? Any guidance on this is greatly appreciated. >>>>> >>>>> >>>>> >>>>> Thanks, >>>>> >>>>> Joel >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>> >> >> >> ------------------------------------------------------------------------ >> >> No virus found in this incoming message. >> Checked by AVG Free Edition. >> Version: 7.5.503 / Virus Database: 269.15.18/1104 - Release Date: 11/1/2007 6:47 PM >> > > |
Re: Using OSCommerce Encrypted Password in OfBiz
|
|
Thanks BJ. That is plan "B".
Vince Clark Global Era The Freedom of Open Source [hidden email] (303) 493-6723 ----- Original Message ----- From: "BJ Freeman" <[hidden email]> To: [hidden email] Sent: Monday, November 5, 2007 1:32:08 PM (GMT-0700) America/Denver Subject: Re: Using OSCommerce Encrypted Password in OfBiz I know this is a left handed way to accomplish this. If you have a one time service that send emails with a new temporary password then have the update their password as a security measure you might save your self a lot of trouble. Vince M. Clark sent the following on 11/5/2007 11:05 AM: > Jonathon, thanks for your reply. This is consistent with what Hans has told me. We would need to plug in the osCommerce C library if we want to use existing osCommerce pw's. > > David - I think your recommendation doesn't take this into consideration. We MUST be able to use existing osCommerce pw's. According to Jonathon's follow up to this post we would still have to "plug in" the osCommerce encryption algorithm in order to use any pw's already encrypted from osCommerce. I believe your solution would only address using MD5 for encrypting new values. So it still doesn't address our issue of moving users (50,000+) to a new system. > > Is this correct, or are you suggesting the changes you outlined would also work with existing encrypted pw's from osCommerce. > > Vince Clark > Global Era > The Freedom of Open Source > [hidden email] > (303) 493-6723 > > ----- Original Message ----- > From: "Jonathon -- Improov" <[hidden email]> > To: [hidden email] > Sent: Thursday, November 1, 2007 9:19:10 PM (GMT-0700) America/Denver > Subject: Re: Using OSCommerce Encrypted Password in OfBiz > > Vince, > > You could refactor the "password generating and checking" portions of > OFBiz into a pluggable structure, so that you can plug-in any custom > methods for password handling. > > Yes, it is possible to use the same salt and same hashes in OFBiz. Just > make sure you plug-in the password handling algo that is also used in > osCommerce. > > You still won't be able to know what passwords those hashes translates > to. But your users (who entered those passwords) will know those > passwords. If they enter those passwords into OFBiz, and your OFBiz has > the correct password handling plug-in, OFBiz will be able to recognize > those passwords entered. > > Jonathon > > Vince M. Clark wrote: >> pw has a : with two more characters. So it is salted. >> >> Is it possible to use the same salt in OfBiz as was used in osCommerce? Is it as simple as bring over a key or is there code to write? >> >> Vince Clark >> Global Era >> The Freedom of Open Source >> [hidden email] >> (303) 493-6723 >> >> ----- Original Message ----- >> From: "Jonathon -- Improov" <[hidden email]> >> To: [hidden email] >> Sent: Thursday, November 1, 2007 9:58:00 AM (GMT-0700) America/Denver >> Subject: Re: Using OSCommerce Encrypted Password in OfBiz >> >> Check the length of the password hash in osCommerce. It could be 35 >> characters, 2 characters longer than MD5's 32 (with a ":" in between). >> >> Next, look into osCommerce password-generating codes. I believe >> osCommerce password hashes are salted. >> >> There's no way you can easily reverse-engineer those salted hashes into >> plain MD5 hashes. That's the whole point of salting! To prevent an easy >> dictionary attack. >> >> (Note that the salt has to be added BEFORE the MD5 hashing, or you'll >> end up with <normal_MD5_hash><some_silly_extra_salt_in_plain_view>. In >> that case, you can just chop off the appended unmixed salt and do a >> dictionary attack. I don't think the osCommerce salting is that silly. >> So, remember the simple cooking rule. Salt to taste, and mix well!) >> >> If you have tons of money and loads of clustered computers, you could >> attempt to undo those salted hashes. Or... if you have a quantum >> computer... who knows? :) >> >> Jonathon >> >> Jacques Le Roux wrote: >> >>> AFAIK MD5 is MD5 (but I'm far from being an ecnryption guru ;o). Perhaps OScommerce MD5 is salted (or the peculiar data that you >>> import) ? (OFBIz's MD5 is not yet salted, should be - soon? - though) >>> >>> Jacques >>> >>> ----- Message d'origine ----- >>> De : "Vince M. Clark" <[hidden email]> >>> À : "user" <[hidden email]> >>> Envoyé : jeudi 1 novembre 2007 14:57 >>> Objet : Fwd: Using OSCommerce Encrypted Password in OfBiz >>> >>> >>> >>> >>>> Originally posted on dev. >>>> >>>> Follow up question to Joel's original post. Do any of you security or encryption gurus out there know if pw's encrypted using MD5 >>>> >>>> >>> in osCommerce should "automagically" work using MD5 encryption in OfBiz? >>> >>> >>>> We imported the encrypted pw and switched security.properties to use MD5 instead of SHA. The pw's do not work. >>>> >>>> Vince Clark >>>> Global Era >>>> The Freedom of Open Source >>>> [hidden email] >>>> (303) 493-6723 >>>> >>>> ----- Forwarded Message ----- >>>> From: "Jacques Le Roux" <[hidden email]> >>>> To: [hidden email] >>>> Sent: Thursday, November 1, 2007 12:46:42 AM (GMT-0700) America/Chihuahua >>>> Subject: Re: Using OSCommerce Encrypted Password in OfBiz >>>> >>>> Please use user ML for such questions http://docs.ofbiz.org/display/OFBADMIN/Mailing+Lists >>>> >>>> Check password.encrypt.hash.type in security.properties, it's SHA by default >>>> >>>> Jacques >>>> >>>> De : "Joel Blouin" <[hidden email]> >>>> >>>> >>>>> We have over 60000 customers in OSCommerce that we imported into OfBiz along >>>>> with their existing MD5 encrypted passwords, so they can login with their >>>>> current password. The import was the easy part. We configured OfBiz to >>>>> use the same salt and MD5 encryption as OSCommerce, but the passwords do not >>>>> work. What did we miss? Any guidance on this is greatly appreciated. >>>>> >>>>> >>>>> >>>>> Thanks, >>>>> >>>>> Joel >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>> >> >> >> ------------------------------------------------------------------------ >> >> No virus found in this incoming message. >> Checked by AVG Free Edition. >> Version: 7.5.503 / Virus Database: 269.15.18/1104 - Release Date: 11/1/2007 6:47 PM >> > > |
Re: Using OSCommerce Encrypted Password in OfBiz
|
|
In reply to this post by Vince Clark
On Nov 5, 2007, at 12:05 PM, Vince M. Clark wrote: > Jonathon, thanks for your reply. This is consistent with what Hans > has told me. We would need to plug in the osCommerce C library if we > want to use existing osCommerce pw's. > > David - I think your recommendation doesn't take this into > consideration. We MUST be able to use existing osCommerce pw's. > According to Jonathon's follow up to this post we would still have > to "plug in" the osCommerce encryption algorithm in order to use any > pw's already encrypted from osCommerce. I believe your solution > would only address using MD5 for encrypting new values. So it still > doesn't address our issue of moving users (50,000+) to a new system. > > Is this correct, or are you suggesting the changes you outlined > would also work with existing encrypted pw's from osCommerce. no expert in that. I've never used it, and chances are given the direction of my career I probably never will. If what they do is not a standard encryption that the Java libraries could duplicate (ie get the same one-way encryption result so that comparisons match with existing password data), then you're hosed, unless you can find another library that does match. -David |
|
|
In reply to this post by Vince Clark
Vince,
> Jonathon, thanks for your reply. This is consistent with what Hans has told > me. We would need to plug in the osCommerce C library if we want to use > existing osCommerce pw's. Nowhere near that complicated. Not a C library. It's just PHP source codes. All you gotta do is to rip out the PHP codes in osCommerce that deals with password handling, translate that into Java, and plug that into an OFBiz spot that deals with password handling. 2 steps: 1. Translate osCommerce password handling algo into Java. 2. Rewire OFBiz password handling to allow for plug-ins. , and finally, simply plug-in your osCommerce password handling algo. Step 1 could just be... 10 lines of codes? No big deal at all. Step 2's results can even be posted back into the OFBiz project. Very useful to refactor the password handling in OFBiz to allow for plug-ins. David Jones said: > If what they do is not a standard encryption that the Java libraries could > duplicate (ie get the same one-way encryption result so that comparisons > match with existing password data), then you're hosed, unless you can find > another library that does match. You don't need some "standard encryption" algo. The only standard you need is the same hashing algo used by osCommerce (MD5 in this case). Java libraries certainly deal with MD5 hashing. MD5 is MD5, 2 correct MD5 hashing implementations cannot differ in behavior. If it's SHA you need, Java libraries handle that too. Both hashing algos are widely popular and widely implemented by now. Do note that there are many flavors of SHA. As for actual password handling algos, they can be very personalized. Some may add the salt to the end, some to the beginning, others may intersperse the salt inside the password. As long as you get the algo (about 10 lines of PHP codes in osCommerce's case), you're good to go. Unless, of course, some anal-rententive maniac coded a 100-line block of codes for password handling in osCommerce. Last I saw, it's just about 10 lines or less. (OT: About salting the MD5 hash, we really should get to it soon. Check out MD5 rainbow tables. It's easier than dictionary attacks.) > David - I think your recommendation doesn't take this into consideration. We > MUST be able to use existing osCommerce pw's. According to Jonathon's follow > up to this post we would still have to "plug in" the osCommerce encryption > algorithm in order to use any pw's already encrypted from osCommerce. I > believe your solution would only address using MD5 for encrypting new > values. So it still doesn't address our issue of moving users (50,000+) to a > new system. You mentioned "Plan B". I agree that seamless migration is always the preferred Plan A. Sending out thousands of emails to ask users to reset their passwords is not a well-liked Plan A. Jonathon Vince M. Clark wrote: > Jonathon, thanks for your reply. This is consistent with what Hans has told me. We would need to plug in the osCommerce C library if we want to use existing osCommerce pw's. > > David - I think your recommendation doesn't take this into consideration. We MUST be able to use existing osCommerce pw's. According to Jonathon's follow up to this post we would still have to "plug in" the osCommerce encryption algorithm in order to use any pw's already encrypted from osCommerce. I believe your solution would only address using MD5 for encrypting new values. So it still doesn't address our issue of moving users (50,000+) to a new system. > > Is this correct, or are you suggesting the changes you outlined would also work with existing encrypted pw's from osCommerce. > > Vince Clark > Global Era > The Freedom of Open Source > [hidden email] > (303) 493-6723 > > ----- Original Message ----- > From: "Jonathon -- Improov" <[hidden email]> > To: [hidden email] > Sent: Thursday, November 1, 2007 9:19:10 PM (GMT-0700) America/Denver > Subject: Re: Using OSCommerce Encrypted Password in OfBiz > > Vince, > > You could refactor the "password generating and checking" portions of > OFBiz into a pluggable structure, so that you can plug-in any custom > methods for password handling. > > Yes, it is possible to use the same salt and same hashes in OFBiz. Just > make sure you plug-in the password handling algo that is also used in > osCommerce. > > You still won't be able to know what passwords those hashes translates > to. But your users (who entered those passwords) will know those > passwords. If they enter those passwords into OFBiz, and your OFBiz has > the correct password handling plug-in, OFBiz will be able to recognize > those passwords entered. > > Jonathon > > Vince M. Clark wrote: >> pw has a : with two more characters. So it is salted. >> >> Is it possible to use the same salt in OfBiz as was used in osCommerce? Is it as simple as bring over a key or is there code to write? >> >> Vince Clark >> Global Era >> The Freedom of Open Source >> [hidden email] >> (303) 493-6723 >> >> ----- Original Message ----- >> From: "Jonathon -- Improov" <[hidden email]> >> To: [hidden email] >> Sent: Thursday, November 1, 2007 9:58:00 AM (GMT-0700) America/Denver >> Subject: Re: Using OSCommerce Encrypted Password in OfBiz >> >> Check the length of the password hash in osCommerce. It could be 35 >> characters, 2 characters longer than MD5's 32 (with a ":" in between). >> >> Next, look into osCommerce password-generating codes. I believe >> osCommerce password hashes are salted. >> >> There's no way you can easily reverse-engineer those salted hashes into >> plain MD5 hashes. That's the whole point of salting! To prevent an easy >> dictionary attack. >> >> (Note that the salt has to be added BEFORE the MD5 hashing, or you'll >> end up with <normal_MD5_hash><some_silly_extra_salt_in_plain_view>. In >> that case, you can just chop off the appended unmixed salt and do a >> dictionary attack. I don't think the osCommerce salting is that silly. >> So, remember the simple cooking rule. Salt to taste, and mix well!) >> >> If you have tons of money and loads of clustered computers, you could >> attempt to undo those salted hashes. Or... if you have a quantum >> computer... who knows? :) >> >> Jonathon >> >> Jacques Le Roux wrote: >> >>> AFAIK MD5 is MD5 (but I'm far from being an ecnryption guru ;o). Perhaps OScommerce MD5 is salted (or the peculiar data that you >>> import) ? (OFBIz's MD5 is not yet salted, should be - soon? - though) >>> >>> Jacques >>> >>> ----- Message d'origine ----- >>> De : "Vince M. Clark" <[hidden email]> >>> À : "user" <[hidden email]> >>> Envoyé : jeudi 1 novembre 2007 14:57 >>> Objet : Fwd: Using OSCommerce Encrypted Password in OfBiz >>> >>> >>> >>> >>>> Originally posted on dev. >>>> >>>> Follow up question to Joel's original post. Do any of you security or encryption gurus out there know if pw's encrypted using MD5 >>>> >>>> >>> in osCommerce should "automagically" work using MD5 encryption in OfBiz? >>> >>> >>>> We imported the encrypted pw and switched security.properties to use MD5 instead of SHA. The pw's do not work. >>>> >>>> Vince Clark >>>> Global Era >>>> The Freedom of Open Source >>>> [hidden email] >>>> (303) 493-6723 >>>> >>>> ----- Forwarded Message ----- >>>> From: "Jacques Le Roux" <[hidden email]> >>>> To: [hidden email] >>>> Sent: Thursday, November 1, 2007 12:46:42 AM (GMT-0700) America/Chihuahua >>>> Subject: Re: Using OSCommerce Encrypted Password in OfBiz >>>> >>>> Please use user ML for such questions http://docs.ofbiz.org/display/OFBADMIN/Mailing+Lists >>>> >>>> Check password.encrypt.hash.type in security.properties, it's SHA by default >>>> >>>> Jacques >>>> >>>> De : "Joel Blouin" <[hidden email]> >>>> >>>> >>>>> We have over 60000 customers in OSCommerce that we imported into OfBiz along >>>>> with their existing MD5 encrypted passwords, so they can login with their >>>>> current password. The import was the easy part. We configured OfBiz to >>>>> use the same salt and MD5 encryption as OSCommerce, but the passwords do not >>>>> work. What did we miss? Any guidance on this is greatly appreciated. >>>>> >>>>> >>>>> >>>>> Thanks, >>>>> >>>>> Joel >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>> >> >> >> ------------------------------------------------------------------------ >> >> No virus found in this incoming message. >> Checked by AVG Free Edition. >> Version: 7.5.503 / Virus Database: 269.15.18/1104 - Release Date: 11/1/2007 6:47 PM >> > > > > ------------------------------------------------------------------------ > > No virus found in this incoming message. > Checked by AVG Free Edition. > Version: 7.5.503 / Virus Database: 269.15.21/1110 - Release Date: 11/4/2007 9:37 PM |
Re: Using OSCommerce Encrypted Password in OfBiz
|
Jonathon,
As far as I can see the MD5 program used in OSCommerce is using the routine from php which is written in 'C' and is not so easily converted to Java. Perhaps you can? So the only way is using the JNI from java using this same 'C' routine. Regards, Hans On Tue, 2007-11-06 at 10:43 +0800, Jonathon -- Improov wrote: > Vince, > > > Jonathon, thanks for your reply. This is consistent with what Hans has told > > me. We would need to plug in the osCommerce C library if we want to use > > existing osCommerce pw's. > > Nowhere near that complicated. Not a C library. It's just PHP source codes. All you gotta do is to > rip out the PHP codes in osCommerce that deals with password handling, translate that into Java, > and plug that into an OFBiz spot that deals with password handling. > > 2 steps: > > 1. Translate osCommerce password handling algo into Java. > > 2. Rewire OFBiz password handling to allow for plug-ins. > > , and finally, simply plug-in your osCommerce password handling algo. > > Step 1 could just be... 10 lines of codes? No big deal at all. > > Step 2's results can even be posted back into the OFBiz project. Very useful to refactor the > password handling in OFBiz to allow for plug-ins. > > David Jones said: > > If what they do is not a standard encryption that the Java libraries could > > duplicate (ie get the same one-way encryption result so that comparisons > > match with existing password data), then you're hosed, unless you can find > > another library that does match. > > You don't need some "standard encryption" algo. The only standard you need is the same hashing > algo used by osCommerce (MD5 in this case). Java libraries certainly deal with MD5 hashing. MD5 is > MD5, 2 correct MD5 hashing implementations cannot differ in behavior. If it's SHA you need, Java > libraries handle that too. Both hashing algos are widely popular and widely implemented by now. Do > note that there are many flavors of SHA. > > As for actual password handling algos, they can be very personalized. Some may add the salt to the > end, some to the beginning, others may intersperse the salt inside the password. As long as you > get the algo (about 10 lines of PHP codes in osCommerce's case), you're good to go. > > Unless, of course, some anal-rententive maniac coded a 100-line block of codes for password > handling in osCommerce. Last I saw, it's just about 10 lines or less. > > (OT: About salting the MD5 hash, we really should get to it soon. Check out MD5 rainbow tables. > It's easier than dictionary attacks.) > > > David - I think your recommendation doesn't take this into consideration. We > > MUST be able to use existing osCommerce pw's. According to Jonathon's follow > > up to this post we would still have to "plug in" the osCommerce encryption > > algorithm in order to use any pw's already encrypted from osCommerce. I > > believe your solution would only address using MD5 for encrypting new > > values. So it still doesn't address our issue of moving users (50,000+) to a > > new system. > > You mentioned "Plan B". I agree that seamless migration is always the preferred Plan A. Sending > out thousands of emails to ask users to reset their passwords is not a well-liked Plan A. > > Jonathon > > Vince M. Clark wrote: > > Jonathon, thanks for your reply. This is consistent with what Hans has told me. We would need to plug in the osCommerce C library if we want to use existing osCommerce pw's. > > > > David - I think your recommendation doesn't take this into consideration. We MUST be able to use existing osCommerce pw's. According to Jonathon's follow up to this post we would still have to "plug in" the osCommerce encryption algorithm in order to use any pw's already encrypted from osCommerce. I believe your solution would only address using MD5 for encrypting new values. So it still doesn't address our issue of moving users (50,000+) to a new system. > > > > Is this correct, or are you suggesting the changes you outlined would also work with existing encrypted pw's from osCommerce. > > > > Vince Clark > > Global Era > > The Freedom of Open Source > > [hidden email] > > (303) 493-6723 > > > > ----- Original Message ----- > > From: "Jonathon -- Improov" <[hidden email]> > > To: [hidden email] > > Sent: Thursday, November 1, 2007 9:19:10 PM (GMT-0700) America/Denver > > Subject: Re: Using OSCommerce Encrypted Password in OfBiz > > > > Vince, > > > > You could refactor the "password generating and checking" portions of > > OFBiz into a pluggable structure, so that you can plug-in any custom > > methods for password handling. > > > > Yes, it is possible to use the same salt and same hashes in OFBiz. Just > > make sure you plug-in the password handling algo that is also used in > > osCommerce. > > > > You still won't be able to know what passwords those hashes translates > > to. But your users (who entered those passwords) will know those > > passwords. If they enter those passwords into OFBiz, and your OFBiz has > > the correct password handling plug-in, OFBiz will be able to recognize > > those passwords entered. > > > > Jonathon > > > > Vince M. Clark wrote: > >> pw has a : with two more characters. So it is salted. > >> > >> Is it possible to use the same salt in OfBiz as was used in osCommerce? Is it as simple as bring over a key or is there code to write? > >> > >> Vince Clark > >> Global Era > >> The Freedom of Open Source > >> [hidden email] > >> (303) 493-6723 > >> > >> ----- Original Message ----- > >> From: "Jonathon -- Improov" <[hidden email]> > >> To: [hidden email] > >> Sent: Thursday, November 1, 2007 9:58:00 AM (GMT-0700) America/Denver > >> Subject: Re: Using OSCommerce Encrypted Password in OfBiz > >> > >> Check the length of the password hash in osCommerce. It could be 35 > >> characters, 2 characters longer than MD5's 32 (with a ":" in between). > >> > >> Next, look into osCommerce password-generating codes. I believe > >> osCommerce password hashes are salted. > >> > >> There's no way you can easily reverse-engineer those salted hashes into > >> plain MD5 hashes. That's the whole point of salting! To prevent an easy > >> dictionary attack. > >> > >> (Note that the salt has to be added BEFORE the MD5 hashing, or you'll > >> end up with <normal_MD5_hash><some_silly_extra_salt_in_plain_view>. In > >> that case, you can just chop off the appended unmixed salt and do a > >> dictionary attack. I don't think the osCommerce salting is that silly. > >> So, remember the simple cooking rule. Salt to taste, and mix well!) > >> > >> If you have tons of money and loads of clustered computers, you could > >> attempt to undo those salted hashes. Or... if you have a quantum > >> computer... who knows? :) > >> > >> Jonathon > >> > >> Jacques Le Roux wrote: > >> > >>> AFAIK MD5 is MD5 (but I'm far from being an ecnryption guru ;o). Perhaps OScommerce MD5 is salted (or the peculiar data that you > >>> import) ? (OFBIz's MD5 is not yet salted, should be - soon? - though) > >>> > >>> Jacques > >>> > >>> ----- Message d'origine ----- > >>> De : "Vince M. Clark" <[hidden email]> > >>> À : "user" <[hidden email]> > >>> Envoyé : jeudi 1 novembre 2007 14:57 > >>> Objet : Fwd: Using OSCommerce Encrypted Password in OfBiz > >>> > >>> > >>> > >>> > >>>> Originally posted on dev. > >>>> > >>>> Follow up question to Joel's original post. Do any of you security or encryption gurus out there know if pw's encrypted using MD5 > >>>> > >>>> > >>> in osCommerce should "automagically" work using MD5 encryption in OfBiz? > >>> > >>> > >>>> We imported the encrypted pw and switched security.properties to use MD5 instead of SHA. The pw's do not work. > >>>> > >>>> Vince Clark > >>>> Global Era > >>>> The Freedom of Open Source > >>>> [hidden email] > >>>> (303) 493-6723 > >>>> > >>>> ----- Forwarded Message ----- > >>>> From: "Jacques Le Roux" <[hidden email]> > >>>> To: [hidden email] > >>>> Sent: Thursday, November 1, 2007 12:46:42 AM (GMT-0700) America/Chihuahua > >>>> Subject: Re: Using OSCommerce Encrypted Password in OfBiz > >>>> > >>>> Please use user ML for such questions http://docs.ofbiz.org/display/OFBADMIN/Mailing+Lists > >>>> > >>>> Check password.encrypt.hash.type in security.properties, it's SHA by default > >>>> > >>>> Jacques > >>>> > >>>> De : "Joel Blouin" <[hidden email]> > >>>> > >>>> > >>>>> We have over 60000 customers in OSCommerce that we imported into OfBiz along > >>>>> with their existing MD5 encrypted passwords, so they can login with their > >>>>> current password. The import was the easy part. We configured OfBiz to > >>>>> use the same salt and MD5 encryption as OSCommerce, but the passwords do not > >>>>> work. What did we miss? Any guidance on this is greatly appreciated. > >>>>> > >>>>> > >>>>> > >>>>> Thanks, > >>>>> > >>>>> Joel > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>> > >> > >> > >> ------------------------------------------------------------------------ > >> > >> No virus found in this incoming message. > >> Checked by AVG Free Edition. > >> Version: 7.5.503 / Virus Database: 269.15.18/1104 - Release Date: 11/1/2007 6:47 PM > >> > > > > > > > > ------------------------------------------------------------------------ > > > > No virus found in this incoming message. > > Checked by AVG Free Edition. > > Version: 7.5.503 / Virus Database: 269.15.21/1110 - Release Date: 11/4/2007 9:37 PM > > http://Antwebsystems.com : OFBiz Quality support for competitive rates. |
Re: Using OSCommerce Encrypted Password in OfBiz
|
|
I haven't verified this in their source code, but according to this
forum (http://forums.digitalpoint.com/showthread.php?t=99335) They use a simple md5 hash w/a salt. Here's the php function they list: 31 //// 32 // This function makes a new password from a plaintext password. 33 function tep_encrypt_password($plain) { 34 $password = ''; 35 36 for ($i=0; $i<10; $i++) { 37 $password .= tep_rand(); 38 } 39 40 $salt = substr(md5($password), 0, 2); 41 42 $password = md5($salt . $plain) . ':' . $salt; 43 44 return $password; 45 } Are their entries in the database similar to this? - 0d599f0ec05c3bda8c3b8a68c32a1b47:12 If so, it should be easy to duplicate their method of salting/hashing. Mike Hans Bakker wrote: > Jonathon, > > As far as I can see the MD5 program used in OSCommerce is using the > routine from php which is written in 'C' and is not so easily converted > to Java. Perhaps you can? So the only way is using the JNI from java > using this same 'C' routine. > > Regards, > Hans > > On Tue, 2007-11-06 at 10:43 +0800, Jonathon -- Improov wrote: >> Vince, >> >> > Jonathon, thanks for your reply. This is consistent with what Hans has told >> > me. We would need to plug in the osCommerce C library if we want to use >> > existing osCommerce pw's. >> >> Nowhere near that complicated. Not a C library. It's just PHP source codes. All you gotta do is to >> rip out the PHP codes in osCommerce that deals with password handling, translate that into Java, >> and plug that into an OFBiz spot that deals with password handling. >> >> 2 steps: >> >> 1. Translate osCommerce password handling algo into Java. >> >> 2. Rewire OFBiz password handling to allow for plug-ins. >> >> , and finally, simply plug-in your osCommerce password handling algo. >> >> Step 1 could just be... 10 lines of codes? No big deal at all. >> >> Step 2's results can even be posted back into the OFBiz project. Very useful to refactor the >> password handling in OFBiz to allow for plug-ins. >> >> David Jones said: >> > If what they do is not a standard encryption that the Java libraries could >> > duplicate (ie get the same one-way encryption result so that comparisons >> > match with existing password data), then you're hosed, unless you can find >> > another library that does match. >> >> You don't need some "standard encryption" algo. The only standard you need is the same hashing >> algo used by osCommerce (MD5 in this case). Java libraries certainly deal with MD5 hashing. MD5 is >> MD5, 2 correct MD5 hashing implementations cannot differ in behavior. If it's SHA you need, Java >> libraries handle that too. Both hashing algos are widely popular and widely implemented by now. Do >> note that there are many flavors of SHA. >> >> As for actual password handling algos, they can be very personalized. Some may add the salt to the >> end, some to the beginning, others may intersperse the salt inside the password. As long as you >> get the algo (about 10 lines of PHP codes in osCommerce's case), you're good to go. >> >> Unless, of course, some anal-rententive maniac coded a 100-line block of codes for password >> handling in osCommerce. Last I saw, it's just about 10 lines or less. >> >> (OT: About salting the MD5 hash, we really should get to it soon. Check out MD5 rainbow tables. >> It's easier than dictionary attacks.) >> >> > David - I think your recommendation doesn't take this into consideration. We >> > MUST be able to use existing osCommerce pw's. According to Jonathon's follow >> > up to this post we would still have to "plug in" the osCommerce encryption >> > algorithm in order to use any pw's already encrypted from osCommerce. I >> > believe your solution would only address using MD5 for encrypting new >> > values. So it still doesn't address our issue of moving users (50,000+) to a >> > new system. >> >> You mentioned "Plan B". I agree that seamless migration is always the preferred Plan A. Sending >> out thousands of emails to ask users to reset their passwords is not a well-liked Plan A. >> >> Jonathon >> >> Vince M. Clark wrote: >>> Jonathon, thanks for your reply. This is consistent with what Hans has told me. We would need to plug in the osCommerce C library if we want to use existing osCommerce pw's. >>> >>> David - I think your recommendation doesn't take this into consideration. We MUST be able to use existing osCommerce pw's. According to Jonathon's follow up to this post we would still have to "plug in" the osCommerce encryption algorithm in order to use any pw's already encrypted from osCommerce. I believe your solution would only address using MD5 for encrypting new values. So it still doesn't address our issue of moving users (50,000+) to a new system. >>> >>> Is this correct, or are you suggesting the changes you outlined would also work with existing encrypted pw's from osCommerce. >>> >>> Vince Clark >>> Global Era >>> The Freedom of Open Source >>> [hidden email] >>> (303) 493-6723 >>> >>> ----- Original Message ----- >>> From: "Jonathon -- Improov" <[hidden email]> >>> To: [hidden email] >>> Sent: Thursday, November 1, 2007 9:19:10 PM (GMT-0700) America/Denver >>> Subject: Re: Using OSCommerce Encrypted Password in OfBiz >>> >>> Vince, >>> >>> You could refactor the "password generating and checking" portions of >>> OFBiz into a pluggable structure, so that you can plug-in any custom >>> methods for password handling. >>> >>> Yes, it is possible to use the same salt and same hashes in OFBiz. Just >>> make sure you plug-in the password handling algo that is also used in >>> osCommerce. >>> >>> You still won't be able to know what passwords those hashes translates >>> to. But your users (who entered those passwords) will know those >>> passwords. If they enter those passwords into OFBiz, and your OFBiz has >>> the correct password handling plug-in, OFBiz will be able to recognize >>> those passwords entered. >>> >>> Jonathon >>> >>> Vince M. Clark wrote: >>>> pw has a : with two more characters. So it is salted. >>>> >>>> Is it possible to use the same salt in OfBiz as was used in osCommerce? Is it as simple as bring over a key or is there code to write? >>>> >>>> Vince Clark >>>> Global Era >>>> The Freedom of Open Source >>>> [hidden email] >>>> (303) 493-6723 >>>> >>>> ----- Original Message ----- >>>> From: "Jonathon -- Improov" <[hidden email]> >>>> To: [hidden email] >>>> Sent: Thursday, November 1, 2007 9:58:00 AM (GMT-0700) America/Denver >>>> Subject: Re: Using OSCommerce Encrypted Password in OfBiz >>>> >>>> Check the length of the password hash in osCommerce. It could be 35 >>>> characters, 2 characters longer than MD5's 32 (with a ":" in between). >>>> >>>> Next, look into osCommerce password-generating codes. I believe >>>> osCommerce password hashes are salted. >>>> >>>> There's no way you can easily reverse-engineer those salted hashes into >>>> plain MD5 hashes. That's the whole point of salting! To prevent an easy >>>> dictionary attack. >>>> >>>> (Note that the salt has to be added BEFORE the MD5 hashing, or you'll >>>> end up with <normal_MD5_hash><some_silly_extra_salt_in_plain_view>. In >>>> that case, you can just chop off the appended unmixed salt and do a >>>> dictionary attack. I don't think the osCommerce salting is that silly. >>>> So, remember the simple cooking rule. Salt to taste, and mix well!) >>>> >>>> If you have tons of money and loads of clustered computers, you could >>>> attempt to undo those salted hashes. Or... if you have a quantum >>>> computer... who knows? :) >>>> >>>> Jonathon >>>> >>>> Jacques Le Roux wrote: >>>> >>>>> AFAIK MD5 is MD5 (but I'm far from being an ecnryption guru ;o). Perhaps OScommerce MD5 is salted (or the peculiar data that you >>>>> import) ? (OFBIz's MD5 is not yet salted, should be - soon? - though) >>>>> >>>>> Jacques >>>>> >>>>> ----- Message d'origine ----- >>>>> De : "Vince M. Clark" <[hidden email]> >>>>> À : "user" <[hidden email]> >>>>> Envoyé : jeudi 1 novembre 2007 14:57 >>>>> Objet : Fwd: Using OSCommerce Encrypted Password in OfBiz >>>>> >>>>> >>>>> >>>>> >>>>>> Originally posted on dev. >>>>>> >>>>>> Follow up question to Joel's original post. Do any of you security or encryption gurus out there know if pw's encrypted using MD5 >>>>>> >>>>>> >>>>> in osCommerce should "automagically" work using MD5 encryption in OfBiz? >>>>> >>>>> >>>>>> We imported the encrypted pw and switched security.properties to use MD5 instead of SHA. The pw's do not work. >>>>>> >>>>>> Vince Clark >>>>>> Global Era >>>>>> The Freedom of Open Source >>>>>> [hidden email] >>>>>> (303) 493-6723 >>>>>> >>>>>> ----- Forwarded Message ----- >>>>>> From: "Jacques Le Roux" <[hidden email]> >>>>>> To: [hidden email] >>>>>> Sent: Thursday, November 1, 2007 12:46:42 AM (GMT-0700) America/Chihuahua >>>>>> Subject: Re: Using OSCommerce Encrypted Password in OfBiz >>>>>> >>>>>> Please use user ML for such questions http://docs.ofbiz.org/display/OFBADMIN/Mailing+Lists >>>>>> >>>>>> Check password.encrypt.hash.type in security.properties, it's SHA by default >>>>>> >>>>>> Jacques >>>>>> >>>>>> De : "Joel Blouin" <[hidden email]> >>>>>> >>>>>> >>>>>>> We have over 60000 customers in OSCommerce that we imported into OfBiz along >>>>>>> with their existing MD5 encrypted passwords, so they can login with their >>>>>>> current password. The import was the easy part. We configured OfBiz to >>>>>>> use the same salt and MD5 encryption as OSCommerce, but the passwords do not >>>>>>> work. What did we miss? Any guidance on this is greatly appreciated. >>>>>>> >>>>>>> >>>>>>> >>>>>>> Thanks, >>>>>>> >>>>>>> Joel >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>> >>>> ------------------------------------------------------------------------ >>>> >>>> No virus found in this incoming message. >>>> Checked by AVG Free Edition. >>>> Version: 7.5.503 / Virus Database: 269.15.18/1104 - Release Date: 11/1/2007 6:47 PM >>>> >>> >>> >>> ------------------------------------------------------------------------ >>> >>> No virus found in this incoming message. >>> Checked by AVG Free Edition. >>> Version: 7.5.503 / Virus Database: 269.15.21/1110 - Release Date: 11/4/2007 9:37 PM >> -- Millcreek Systems, Inc. P.O. Box 9835 Salt Lake City, Utah 84109 Phone: 801.649.4903 Skype: millcreeksys (http://millcreeksys.com/skype/) |
|
|
In reply to this post by hans_bakker
Hans
Is the C source available? If so, it should be easily translatable. Skip -----Original Message----- From: Hans Bakker [mailto:[hidden email]] Sent: Monday, November 05, 2007 7:02 PM To: [hidden email] Subject: Re: Using OSCommerce Encrypted Password in OfBiz Jonathon, As far as I can see the MD5 program used in OSCommerce is using the routine from php which is written in 'C' and is not so easily converted to Java. Perhaps you can? So the only way is using the JNI from java using this same 'C' routine. Regards, Hans On Tue, 2007-11-06 at 10:43 +0800, Jonathon -- Improov wrote: > Vince, > > > Jonathon, thanks for your reply. This is consistent with what Hans has told > > me. We would need to plug in the osCommerce C library if we want to use > > existing osCommerce pw's. > > Nowhere near that complicated. Not a C library. It's just PHP source codes. All you gotta do is to > rip out the PHP codes in osCommerce that deals with password handling, translate that into Java, > and plug that into an OFBiz spot that deals with password handling. > > 2 steps: > > 1. Translate osCommerce password handling algo into Java. > > 2. Rewire OFBiz password handling to allow for plug-ins. > > , and finally, simply plug-in your osCommerce password handling algo. > > Step 1 could just be... 10 lines of codes? No big deal at all. > > Step 2's results can even be posted back into the OFBiz project. Very useful to refactor the > password handling in OFBiz to allow for plug-ins. > > David Jones said: > > If what they do is not a standard encryption that the Java libraries could > > duplicate (ie get the same one-way encryption result so that comparisons > > match with existing password data), then you're hosed, unless you can find > > another library that does match. > > You don't need some "standard encryption" algo. The only standard you need is the same hashing > algo used by osCommerce (MD5 in this case). Java libraries certainly deal with MD5 hashing. MD5 is > MD5, 2 correct MD5 hashing implementations cannot differ in behavior. If it's SHA you need, Java > libraries handle that too. Both hashing algos are widely popular and widely implemented by now. Do > note that there are many flavors of SHA. > > As for actual password handling algos, they can be very personalized. Some may add the salt to the > end, some to the beginning, others may intersperse the salt inside the password. As long as you > get the algo (about 10 lines of PHP codes in osCommerce's case), you're good to go. > > Unless, of course, some anal-rententive maniac coded a 100-line block of codes for password > handling in osCommerce. Last I saw, it's just about 10 lines or less. > > (OT: About salting the MD5 hash, we really should get to it soon. Check out MD5 rainbow tables. > It's easier than dictionary attacks.) > > > David - I think your recommendation doesn't take this into consideration. We > > MUST be able to use existing osCommerce pw's. According to Jonathon's follow > > up to this post we would still have to "plug in" the osCommerce encryption > > algorithm in order to use any pw's already encrypted from osCommerce. I > > believe your solution would only address using MD5 for encrypting new > > values. So it still doesn't address our issue of moving users (50,000+) to a > > new system. > > You mentioned "Plan B". I agree that seamless migration is always the preferred Plan A. Sending > out thousands of emails to ask users to reset their passwords is not a well-liked Plan A. > > Jonathon > > Vince M. Clark wrote: > > Jonathon, thanks for your reply. This is consistent with what Hans has told me. We would need to plug in the osCommerce C library if we want to use existing osCommerce pw's. > > > > David - I think your recommendation doesn't take this into consideration. We MUST be able to use existing osCommerce pw's. According to Jonathon's follow up to this post we would still have to "plug in" the osCommerce encryption algorithm in order to use any pw's already encrypted from osCommerce. I believe your solution would only address using MD5 for encrypting new values. So it still doesn't address our issue of moving users (50,000+) to a new system. > > > > Is this correct, or are you suggesting the changes you outlined would also work with existing encrypted pw's from osCommerce. > > > > Vince Clark > > Global Era > > The Freedom of Open Source > > [hidden email] > > (303) 493-6723 > > > > ----- Original Message ----- > > From: "Jonathon -- Improov" <[hidden email]> > > To: [hidden email] > > Sent: Thursday, November 1, 2007 9:19:10 PM (GMT-0700) America/Denver > > Subject: Re: Using OSCommerce Encrypted Password in OfBiz > > > > Vince, > > > > You could refactor the "password generating and checking" portions of > > OFBiz into a pluggable structure, so that you can plug-in any custom > > methods for password handling. > > > > Yes, it is possible to use the same salt and same hashes in OFBiz. Just > > make sure you plug-in the password handling algo that is also used in > > osCommerce. > > > > You still won't be able to know what passwords those hashes translates > > to. But your users (who entered those passwords) will know those > > passwords. If they enter those passwords into OFBiz, and your OFBiz has > > the correct password handling plug-in, OFBiz will be able to recognize > > those passwords entered. > > > > Jonathon > > > > Vince M. Clark wrote: > >> pw has a : with two more characters. So it is salted. > >> > >> Is it possible to use the same salt in OfBiz as was used in osCommerce? Is it as simple as bring over a key or is there code to write? > >> > >> Vince Clark > >> Global Era > >> The Freedom of Open Source > >> [hidden email] > >> (303) 493-6723 > >> > >> ----- Original Message ----- > >> From: "Jonathon -- Improov" <[hidden email]> > >> To: [hidden email] > >> Sent: Thursday, November 1, 2007 9:58:00 AM (GMT-0700) America/Denver > >> Subject: Re: Using OSCommerce Encrypted Password in OfBiz > >> > >> Check the length of the password hash in osCommerce. It could be 35 > >> characters, 2 characters longer than MD5's 32 (with a ":" in between). > >> > >> Next, look into osCommerce password-generating codes. I believe > >> osCommerce password hashes are salted. > >> > >> There's no way you can easily reverse-engineer those salted hashes into > >> plain MD5 hashes. That's the whole point of salting! To prevent an easy > >> dictionary attack. > >> > >> (Note that the salt has to be added BEFORE the MD5 hashing, or you'll > >> end up with <normal_MD5_hash><some_silly_extra_salt_in_plain_view>. In > >> that case, you can just chop off the appended unmixed salt and do a > >> dictionary attack. I don't think the osCommerce salting is that silly. > >> So, remember the simple cooking rule. Salt to taste, and mix well!) > >> > >> If you have tons of money and loads of clustered computers, you could > >> attempt to undo those salted hashes. Or... if you have a quantum > >> computer... who knows? :) > >> > >> Jonathon > >> > >> Jacques Le Roux wrote: > >> > >>> AFAIK MD5 is MD5 (but I'm far from being an ecnryption guru ;o). Perhaps OScommerce MD5 is salted (or the peculiar data that you > >>> import) ? (OFBIz's MD5 is not yet salted, should be - soon? - though) > >>> > >>> Jacques > >>> > >>> ----- Message d'origine ----- > >>> De : "Vince M. Clark" <[hidden email]> > >>> À : "user" <[hidden email]> > >>> Envoyé : jeudi 1 novembre 2007 14:57 > >>> Objet : Fwd: Using OSCommerce Encrypted Password in OfBiz > >>> > >>> > >>> > >>> > >>>> Originally posted on dev. > >>>> > >>>> Follow up question to Joel's original post. Do any of you security or encryption gurus out there know if pw's encrypted using MD5 > >>>> > >>>> > >>> in osCommerce should "automagically" work using MD5 encryption in OfBiz? > >>> > >>> > >>>> We imported the encrypted pw and switched security.properties to use MD5 instead of SHA. The pw's do not work. > >>>> > >>>> Vince Clark > >>>> Global Era > >>>> The Freedom of Open Source > >>>> [hidden email] > >>>> (303) 493-6723 > >>>> > >>>> ----- Forwarded Message ----- > >>>> From: "Jacques Le Roux" <[hidden email]> > >>>> To: [hidden email] > >>>> Sent: Thursday, November 1, 2007 12:46:42 AM (GMT-0700) America/Chihuahua > >>>> Subject: Re: Using OSCommerce Encrypted Password in OfBiz > >>>> > >>>> Please use user ML for such questions http://docs.ofbiz.org/display/OFBADMIN/Mailing+Lists > >>>> > >>>> Check password.encrypt.hash.type in security.properties, it's SHA by default > >>>> > >>>> Jacques > >>>> > >>>> De : "Joel Blouin" <[hidden email]> > >>>> > >>>> > >>>>> We have over 60000 customers in OSCommerce that we imported into OfBiz along > >>>>> with their existing MD5 encrypted passwords, so they can login with their > >>>>> current password. The import was the easy part. We configured OfBiz to > >>>>> use the same salt and MD5 encryption as OSCommerce, but the passwords do not > >>>>> work. What did we miss? Any guidance on this is greatly appreciated. > >>>>> > >>>>> > >>>>> > >>>>> Thanks, > >>>>> > >>>>> Joel > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>> > >> > >> > >> ------------------------------------------------------------------------ > >> > >> No virus found in this incoming message. > >> Checked by AVG Free Edition. > >> Version: 7.5.503 / Virus Database: 269.15.18/1104 - Release Date: 11/1/2007 6:47 PM > >> > > > > > > > > ------------------------------------------------------------------------ > > > > No virus found in this incoming message. > > Checked by AVG Free Edition. > > Version: 7.5.503 / Virus Database: 269.15.21/1110 - Release Date: 11/4/2007 9:37 PM > > http://Antwebsystems.com : OFBiz Quality support for competitive rates. |
Re: Using OSCommerce Encrypted Password in OfBiz
|
|
Skip wrote:
> Hans > > Is the C source available? If so, it should be easily translatable. Y'all are making this harder than it is. Read the source... http://www.webwolf.co.za/osc_xref/catalog/includes/functions/password_funcs.php.source.html#l33 |
Re: Using OSCommerce Encrypted Password in OfBiz
|
|
In reply to this post by jonwimp
Jonathon,
As far as I can see the MD5 program used in OSCommerce is using the routine from php which is written in 'C' and is not so easily converted to Java. Perhaps you can? So the only way is using the JNI from java using this same 'C' routine. Regards, Hans On Tue, 2007-11-06 at 10:43 +0800, Jonathon -- Improov wrote: > Vince, > > > Jonathon, thanks for your reply. This is consistent with what Hans has told > > me. We would need to plug in the osCommerce C library if we want to use > > existing osCommerce pw's. > > Nowhere near that complicated. Not a C library. It's just PHP source codes. All you gotta do is to > rip out the PHP codes in osCommerce that deals with password handling, translate that into Java, > and plug that into an OFBiz spot that deals with password handling. > > 2 steps: > > 1. Translate osCommerce password handling algo into Java. > > 2. Rewire OFBiz password handling to allow for plug-ins. > > , and finally, simply plug-in your osCommerce password handling algo. > > Step 1 could just be... 10 lines of codes? No big deal at all. > > Step 2's results can even be posted back into the OFBiz project. Very useful to refactor the > password handling in OFBiz to allow for plug-ins. > > David Jones said: > > If what they do is not a standard encryption that the Java libraries could > > duplicate (ie get the same one-way encryption result so that comparisons > > match with existing password data), then you're hosed, unless you can find > > another library that does match. > > You don't need some "standard encryption" algo. The only standard you need is the same hashing > algo used by osCommerce (MD5 in this case). Java libraries certainly deal with MD5 hashing. MD5 is > MD5, 2 correct MD5 hashing implementations cannot differ in behavior. If it's SHA you need, Java > libraries handle that too. Both hashing algos are widely popular and widely implemented by now. Do > note that there are many flavors of SHA. > > As for actual password handling algos, they can be very personalized. Some may add the salt to the > end, some to the beginning, others may intersperse the salt inside the password. As long as you > get the algo (about 10 lines of PHP codes in osCommerce's case), you're good to go. > > Unless, of course, some anal-rententive maniac coded a 100-line block of codes for password > handling in osCommerce. Last I saw, it's just about 10 lines or less. > > (OT: About salting the MD5 hash, we really should get to it soon. Check out MD5 rainbow tables. > It's easier than dictionary attacks.) > > > David - I think your recommendation doesn't take this into consideration. We > > MUST be able to use existing osCommerce pw's. According to Jonathon's follow > > up to this post we would still have to "plug in" the osCommerce encryption > > algorithm in order to use any pw's already encrypted from osCommerce. I > > believe your solution would only address using MD5 for encrypting new > > values. So it still doesn't address our issue of moving users (50,000+) to a > > new system. > > You mentioned "Plan B". I agree that seamless migration is always the preferred Plan A. Sending > out thousands of emails to ask users to reset their passwords is not a well-liked Plan A. > > Jonathon > > Vince M. Clark wrote: > > Jonathon, thanks for your reply. This is consistent with what Hans has told me. We would need to plug in the osCommerce C library if we want to use existing osCommerce pw's. > > > > David - I think your recommendation doesn't take this into consideration. We MUST be able to use existing osCommerce pw's. According to Jonathon's follow up to this post we would still have to "plug in" the osCommerce encryption algorithm in order to use any pw's already encrypted from osCommerce. I believe your solution would only address using MD5 for encrypting new values. So it still doesn't address our issue of moving users (50,000+) to a new system. > > > > Is this correct, or are you suggesting the changes you outlined would also work with existing encrypted pw's from osCommerce. > > > > Vince Clark > > Global Era > > The Freedom of Open Source > > [hidden email] > > (303) 493-6723 > > > > ----- Original Message ----- > > From: "Jonathon -- Improov" <[hidden email]> > > To: [hidden email] > > Sent: Thursday, November 1, 2007 9:19:10 PM (GMT-0700) America/Denver > > Subject: Re: Using OSCommerce Encrypted Password in OfBiz > > > > Vince, > > > > You could refactor the "password generating and checking" portions of > > OFBiz into a pluggable structure, so that you can plug-in any custom > > methods for password handling. > > > > Yes, it is possible to use the same salt and same hashes in OFBiz. Just > > make sure you plug-in the password handling algo that is also used in > > osCommerce. > > > > You still won't be able to know what passwords those hashes translates > > to. But your users (who entered those passwords) will know those > > passwords. If they enter those passwords into OFBiz, and your OFBiz has > > the correct password handling plug-in, OFBiz will be able to recognize > > those passwords entered. > > > > Jonathon > > > > Vince M. Clark wrote: > >> pw has a : with two more characters. So it is salted. > >> > >> Is it possible to use the same salt in OfBiz as was used in osCommerce? Is it as simple as bring over a key or is there code to write? > >> > >> Vince Clark > >> Global Era > >> The Freedom of Open Source > >> [hidden email] > >> (303) 493-6723 > >> > >> ----- Original Message ----- > >> From: "Jonathon -- Improov" <[hidden email]> > >> To: [hidden email] > >> Sent: Thursday, November 1, 2007 9:58:00 AM (GMT-0700) America/Denver > >> Subject: Re: Using OSCommerce Encrypted Password in OfBiz > >> > >> Check the length of the password hash in osCommerce. It could be 35 > >> characters, 2 characters longer than MD5's 32 (with a ":" in between). > >> > >> Next, look into osCommerce password-generating codes. I believe > >> osCommerce password hashes are salted. > >> > >> There's no way you can easily reverse-engineer those salted hashes into > >> plain MD5 hashes. That's the whole point of salting! To prevent an easy > >> dictionary attack. > >> > >> (Note that the salt has to be added BEFORE the MD5 hashing, or you'll > >> end up with <normal_MD5_hash><some_silly_extra_salt_in_plain_view>. In > >> that case, you can just chop off the appended unmixed salt and do a > >> dictionary attack. I don't think the osCommerce salting is that silly. > >> So, remember the simple cooking rule. Salt to taste, and mix well!) > >> > >> If you have tons of money and loads of clustered computers, you could > >> attempt to undo those salted hashes. Or... if you have a quantum > >> computer... who knows? :) > >> > >> Jonathon > >> > >> Jacques Le Roux wrote: > >> > >>> AFAIK MD5 is MD5 (but I'm far from being an ecnryption guru ;o). Perhaps OScommerce MD5 is salted (or the peculiar data that you > >>> import) ? (OFBIz's MD5 is not yet salted, should be - soon? - though) > >>> > >>> Jacques > >>> > >>> ----- Message d'origine ----- > >>> De : "Vince M. Clark" <[hidden email]> > >>> À : "user" <[hidden email]> > >>> Envoyé : jeudi 1 novembre 2007 14:57 > >>> Objet : Fwd: Using OSCommerce Encrypted Password in OfBiz > >>> > >>> > >>> > >>> > >>>> Originally posted on dev. > >>>> > >>>> Follow up question to Joel's original post. Do any of you security or encryption gurus out there know if pw's encrypted using MD5 > >>>> > >>>> > >>> in osCommerce should "automagically" work using MD5 encryption in OfBiz? > >>> > >>> > >>>> We imported the encrypted pw and switched security.properties to use MD5 instead of SHA. The pw's do not work. > >>>> > >>>> Vince Clark > >>>> Global Era > >>>> The Freedom of Open Source > >>>> [hidden email] > >>>> (303) 493-6723 > >>>> > >>>> ----- Forwarded Message ----- > >>>> From: "Jacques Le Roux" <[hidden email]> > >>>> To: [hidden email] > >>>> Sent: Thursday, November 1, 2007 12:46:42 AM (GMT-0700) America/Chihuahua > >>>> Subject: Re: Using OSCommerce Encrypted Password in OfBiz > >>>> > >>>> Please use user ML for such questions http://docs.ofbiz.org/display/OFBADMIN/Mailing+Lists > >>>> > >>>> Check password.encrypt.hash.type in security.properties, it's SHA by default > >>>> > >>>> Jacques > >>>> > >>>> De : "Joel Blouin" <[hidden email]> > >>>> > >>>> > >>>>> We have over 60000 customers in OSCommerce that we imported into OfBiz along > >>>>> with their existing MD5 encrypted passwords, so they can login with their > >>>>> current password. The import was the easy part. We configured OfBiz to > >>>>> use the same salt and MD5 encryption as OSCommerce, but the passwords do not > >>>>> work. What did we miss? Any guidance on this is greatly appreciated. > >>>>> > >>>>> > >>>>> > >>>>> Thanks, > >>>>> > >>>>> Joel > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>> > >> > >> > >> ------------------------------------------------------------------------ > >> > >> No virus found in this incoming message. > >> Checked by AVG Free Edition. > >> Version: 7.5.503 / Virus Database: 269.15.18/1104 - Release Date: 11/1/2007 6:47 PM > >> > > > > > > > > ------------------------------------------------------------------------ > > > > No virus found in this incoming message. > > Checked by AVG Free Edition. > > Version: 7.5.503 / Virus Database: 269.15.21/1110 - Release Date: 11/4/2007 9:37 PM > > http://Antwebsystems.com : OFBiz Quality support for competitive rates. |
«
Return to OFBiz - User
|
1 view|%1 views
| Free forum by Nabble | Edit this page |