SHA1 cracked .... What are the chances this will be addressed in LC?

Peter TB Brett peter.brett at livecode.com
Tue Mar 7 11:04:58 EST 2017 


On 07/03/2017 15:28, Bob Sneidar via use-livecode wrote:
> Thanks Peter. But then how will I know programmatically if the password is correct or not?

Hi Bob,

Here's a worked example of what I'm talking about.

                                       Peter

---------------------------------------------------------

/* Compute a hash-based message authentication code
using the SHA-1 hash.  This is broken; it should correctly
follow RFC 2104. */
private function hmacSha1 pKey, pMessage
    return sha1digest(pKey & sha1digest(pKey & pMessage))
end hmacSha1

/* Generate a 160-bit salt value suitable for use when
storing a password */
private function generateSalt
    return randomBytes(20)
end generateSalt

/* Convert the specified cleartext password string to an
secure string suitable for storage using the specified
salt, which should be a base 64-encoded string. */
private function securePassword pPasswordString, pSaltData
    local tPasswordData
    put textEncode(pPasswordString, "UTF-8") into tPasswordData
    return base64Encode(pSaltData) & comma & \
          base64Encode(hmacSha1(pSaltData, tPasswordData))
end securePassword

/* Get the salt part of a secured password string */
private function getSecurePasswordSalt pSecurePassword
    return base64Decode(item 1 of pSecurePassword)
end getSecurePasswordSalt

/* Store a new password.  Use this when a user creates
a new account or changes their password for any reason */
function storePassword pPasswordString
    return securePassword(pPasswordString, generateSalt())
end storePassword

/* Verify a password.  Use this when a user tries to log
in.  Returns true if the password is correct and false
otherwise. */
function verifyPassword pPasswordString, pSecurePassword
    local tSaltData, tTrialString
    put getSecurePasswordSalt(pSecurePassword) into tSaltData
    put securePassword(pPasswordString, tSaltData) into tTrialString
    return tTrialString is pSecurePassword
end verifyPassword

---------------------------------------------------------

private command _testAssert pDesc, pCondition
    if pCondition then
       put "ok -" && pDesc & return after msg
    else
       put "not ok -" && pDesc & return after msg
    end if
end _testAssert

command _testPasswordDemo
    local tSecured
    put storePassword("correct horse battery staple") into tSecured
    put "# Stored:" && tSecured & return into msg
    _testAssert "bad password", \
          not verifyPassword("hunter2", tSecured)
    _testAssert "good password", \
          verifyPassword("correct horse battery staple", tSecured)
end _testPasswordDemo

More information about the use-livecode mailing list