• From: Pittsburgh, Pa
  • Registered: 2005-07-27
  • Posts: 648

Topic: Encryption Gurus? Any one?

I've come up with an interest problem at work today and I thought someone here might have some good thoughts on this.

I have a web application that encrypts passwords using SHA1.

Now are parent has decided that we need to connect to there site for other services that they offer that we legally can't. Their programmer and I would like to attempt a single sign on solution so that a user will not have multiple password for what seems to them is the same site.

The problem is they use DES encryption for password (not to mention IIS and ASP) so does anyone have an idea how I can get my current SHA stored password to DES?

Of the top of my head all I can think to do is encrypt the SHA string into DES.

Any thoughts welcomed....

"An educator never says what he himself thinks, but only that which he thinks it is good for those whom he is educating to hear."
-Nietzsche

RoddieRod's Website

  • From: United Kingdom
  • Registered: 2005-03-25
  • Posts: 1,504

Re: Encryption Gurus? Any one?

I thought the point of encryption was that the stored format was encrypted - so there's no plain version of the password kept anywhere.   The password check is achieved by encypting the password given and comapring it against the stored encrypted version.

Also - I fail to see how an encrypted password could be convert to its alter-encrypted format

"UBER" means I don't drink the coffee... I chew the beans instead
             -- Copyright BSDnexus

WIntellect's Website

  • From: Switzerland
  • Registered: 2005-03-25
  • Posts: 644

Re: Encryption Gurus? Any one?

If they encrypt plaintext passwords with DES, I'm afraid there is no way you can convert your passwords to their format. You see, SHA1 isn't an encryption algorithm, it's a hashing algorithm. Whatever data you hash through SHA1 is destroyed, there is no way to reverse the hashing process. DES however is a proper encryption algorithm, which means they do practically have the plain text versions available, and do compare that.

The only option is to convert their DES-using system to your SHA1-using system (decrypt all the DES passwords, then hash them with SHA1). If their "forgotten password" feature tells the user his original password, this particular feature will no longer work at this point.

Maxlor's Website

  • From: Pittsburgh, Pa
  • Registered: 2005-07-27
  • Posts: 648

Re: Encryption Gurus? Any one?

Thanks Maxlor, this gives me some ideas.

I knew SHA1 was a hash and could not be reversed - I'm pretty sure that's why it was used in the first place. I haven't worked with DES so wasn't too sure about it other than everything I'm finding says its pretty weak.



WIntellect - I agree with everything you say and this is what I am doing with my web app, but the guys I'm going to be working with aren't too tech savy, they have some canned ASP app that the just change some setting in an XML file to enable and disable options. It took 3 of them to figure out how passwords where encrypted.

This should be a interesting project since up to this point the most technical question the have asked me is "what should the number for the help desk be?"

Last edited by RoddieRod (2006-08-10 18:45:34)

"An educator never says what he himself thinks, but only that which he thinks it is good for those whom he is educating to hear."
-Nietzsche

RoddieRod's Website

  • dynek
  • A bizarre NetBSD user
  • Offline
  • From: Switzerland
  • Registered: 2005-03-26
  • Posts: 1,049

Re: Encryption Gurus? Any one?

ahah !

<wintellect> NetBSD users are smart enough to accept that there's no 3D support tongue

dynek's Website