on 09-19-2008 11:45 PM
We have created a Web Dynpro project to retrieve the password of a user if they forgot it. The program uses the default security question and answer attributes of the IUser object. The problem is that the security answer is encrypted in the DB. It looks like SSHA encryption, as the value of field starts with .
Does anyone know how to decryt the security answer?
Andrew,
Satyajit has rightly stated that SSHA is a one way algorithm and cannot be reversed and that you need to know the salt value to get the encrypted value of clear text string.
Aarthi has pointed out that the same security answer for two users did not match after SSHA encryption. Reason for this disparity is that SHA1 uses a random salt each time an encryption is done. However, the salt is stored with the encrypted password as Base64 encoded data. First 20 bytes of encrypted String contain the actual Clear Text while later 12 Bytes contain the Base64 encoded salt used for encryption.
Theoretically, You can split the encrypted string to get the salt, base64.decode the salt and use it again to encode a clear text and match if both are equal. Take a look at [this|http://www.securitydocs.com/library/3439] very useful article. This might help you and Aarthi both.
Vishwas.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Vishwas,
Your post has been most helpful. We feel that we are very close, but we are still not getting matching values.
value from DB: 1zhaHvjkZ1sSFxJLT8kCIlIkCsCyv/6tLyE= value from code: OmA4GjFf9hEOCi4xxF57IwD94Sqyv/6tLyE=
The answer in this case is "red".
Here is what we did:
- Extracted the salt from the answer in the DB.
- Used the salt to digest (encode) the user input.
- Appended the salt to the digested value.
- Base64 encoded the appended value.
- Prepended to the Base64 encode value.
You can see that the salt vlaue is the same in each value, but the rest does not match.
Are we missing something? Do you have any additional ideas that we could try?
Thank you,
Andrew
Andrew,
Try using this approach for encryption.
Get the source string and salt as separate binary objects
Concatenate the 2 binary values
SHA hash the concatenation into SaltedPasswordHash
Base64Encode(concat(SaltedPasswordHash, Salt))
This will translate to code something like this.
public String createDigest(byte[] salt, String entity) {
String label = "{SSHA}";
// Update digest object with byte array of clear text string and salt
sha.reset();
sha.update(entity.getBytes());
sha.update(salt);
// Complete hash computation, this results in binary data
byte[] pwhash = sha.digest();
return label + new String(Base64.encode(concatenate(pwhash, salt)));
}
and this to decrypt.
Strip the hash identifier from the Digest
Base64Decode(Digest)
Split Digest into 2 byte arrays, one for bytes 0 u2013 20(pwhash), one for bytes 21 u2013 32 (salt)
Get the target string and salt as separate binary object
This should translate to code like this.
public void checkDigest(String digest) {
digest = digest.substring(6); // ignore the {SSHA} hash ID
// extract the hashed data into hs[0], salt into hs[1]
byte[][] hs = split(Base64.decode(digest), 20);
byte[] hash = hs[0];
byte[] salt = hs[1];
}
This should work. source for this code is [this article|http://www.securitydocs.com/library/3439].
Vishwas.
Hi,
Since it's a salted SHA you need to know the salt value. Apart from that SSHA is an one-way hash algorithm, you cannot decrypt to get back the original string.
So what you need to do is encrypt the security answer entered by the user, hash it and then match it with the value in the database. If they match then it's a valid answer.
Regards,
Satyajit.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
I had similar requirment...
/message/5073819#5073819 [original link is broken]
I even stored the same security answer for 2 different users, and tried to match them. They were not equal.
And there is no API like comparePassword for security answer.
Finall we opened a OSS message with SAP and they replied that it needs a new development request.
So as of now, we used a custom attribute instead of standard attribute.
-Aarthi
User | Count |
---|---|
90 | |
10 | |
10 | |
10 | |
7 | |
7 | |
6 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.