Results 1 to 14 of 14

Thread: [RESOLVED] Userid question

  1. #1

    Thread Starter
    Frenzied Member
    Join Date
    Dec 2012
    Posts
    1,128

    Resolved [RESOLVED] Userid question

    In one of my applications I used the user Security ID (SID) to create a key that was used to shuffle the user provided password. Then I hashed the result (SHA-256) to create the actual password. Then I sent the encrypted password to the server for verification.

    That was all fine and dandy in VB6, but now I want to do something similar in javascript for a browser. Is there a unique variable in a browser that I can use?

    J.A. Coutts
    PS. javascript makes me appreciate VB6 much more. It is not easy to work with.

  2. #2
    Super Moderator Shaggy Hiker's Avatar
    Join Date
    Aug 2002
    Location
    Idaho
    Posts
    36,620

    Re: Userid question

    JS can make a person appreciate darn near anything. It's a powerful language, but powerfully weird, as well.
    My usual boring signature: Nothing

  3. #3
    MS SQL Powerposter szlamany's Avatar
    Join Date
    Mar 2004
    Location
    CT
    Posts
    18,087

    Re: Userid question

    So, you are looking to salt and hash the password in the browser - is that the bottom line?

    Are your connections always HTTPS?

    If it's about obfuscating the password in the HTTP GET/POST - I had a similar question...

    https://www.vbforums.com/showthread....-POSt-over-SSL

    *** Read the sticky in the DB forum about how to get your question answered quickly!! ***

    Please remember to rate posts! Rate any post you find helpful - even in old threads! Use the link to the left - "Rate this Post".

    Some Informative Links:
    [ SQL Rules to Live By ] [ Reserved SQL keywords ] [ When to use INDEX HINTS! ] [ Passing Multi-item Parameters to STORED PROCEDURES ]
    [ Solution to non-domain Windows Authentication ] [ Crazy things we do to shrink log files ] [ SQL 2005 Features ] [ Loading Pictures from DB ]

    MS MVP 2006, 2007, 2008

  4. #4

    Thread Starter
    Frenzied Member
    Join Date
    Dec 2012
    Posts
    1,128

    Re: Userid question

    Quote Originally Posted by szlamany View Post
    So, you are looking to salt and hash the password in the browser - is that the bottom line?

    Are your connections always HTTPS?

    If it's about obfuscating the password in the HTTP GET/POST - I had a similar question...

    https://www.vbforums.com/showthread....-POSt-over-SSL
    By using a unique value from the logged in user, I attempted to provide some degree of protection for the connecting parties password. The password was hashed and then the hashed password was shuffled using the user SID as the key source, and stored in the registry. On the server side, the password hash was shuffled with the servers key and stored in a database. That application used encryption.

    Using a browser as the client creates a whole different situation, because the script is not hidden from the hacker. For this particular application I do not want to use encryption, as it is too complex and too slow. That is why I was looking for some variable unique to the user or browser.

    J.A. Coutts

  5. #5
    MS SQL Powerposter szlamany's Avatar
    Join Date
    Mar 2004
    Location
    CT
    Posts
    18,087

    Re: Userid question

    Are your connections always HTTPS?

    *** Read the sticky in the DB forum about how to get your question answered quickly!! ***

    Please remember to rate posts! Rate any post you find helpful - even in old threads! Use the link to the left - "Rate this Post".

    Some Informative Links:
    [ SQL Rules to Live By ] [ Reserved SQL keywords ] [ When to use INDEX HINTS! ] [ Passing Multi-item Parameters to STORED PROCEDURES ]
    [ Solution to non-domain Windows Authentication ] [ Crazy things we do to shrink log files ] [ SQL 2005 Features ] [ Loading Pictures from DB ]

    MS MVP 2006, 2007, 2008

  6. #6

    Thread Starter
    Frenzied Member
    Join Date
    Dec 2012
    Posts
    1,128

    Re: Userid question

    Quote Originally Posted by szlamany View Post
    Are your connections always HTTPS?
    The first application that used the Fisher-Yates shuffle was secure, but the one I am currently working on will not be. Neither are used to connect to a standard server over port 443.

    J.A. Coutts

  7. #7
    MS SQL Powerposter szlamany's Avatar
    Join Date
    Mar 2004
    Location
    CT
    Posts
    18,087

    Re: Userid question

    Since anything you do in JS is done in the browser, where we have developer and debug tools, how are you going to hide the logic used to work up the password?

    *** Read the sticky in the DB forum about how to get your question answered quickly!! ***

    Please remember to rate posts! Rate any post you find helpful - even in old threads! Use the link to the left - "Rate this Post".

    Some Informative Links:
    [ SQL Rules to Live By ] [ Reserved SQL keywords ] [ When to use INDEX HINTS! ] [ Passing Multi-item Parameters to STORED PROCEDURES ]
    [ Solution to non-domain Windows Authentication ] [ Crazy things we do to shrink log files ] [ SQL 2005 Features ] [ Loading Pictures from DB ]

    MS MVP 2006, 2007, 2008

  8. #8

    Thread Starter
    Frenzied Member
    Join Date
    Dec 2012
    Posts
    1,128

    Re: Userid question

    Quote Originally Posted by szlamany View Post
    Since anything you do in JS is done in the browser, where we have developer and debug tools, how are you going to hide the logic used to work up the password?
    That is exactly what I said in post #4. That is why I need a fixed unique hidden value to act as a key source. In a non-browser program, I used the User SID.

    J.A. Coutts

  9. #9
    MS SQL Powerposter szlamany's Avatar
    Join Date
    Mar 2004
    Location
    CT
    Posts
    18,087

    Re: Userid question

    I've used a trick of creating a GUID and then using the GUID as a "variable" name. And in this "variable" we held some kind of session token. This was not so much for security, but more or less making sure that if multiple tabs were open you could guarantee the talk back and forth was to the right client.

    *** Read the sticky in the DB forum about how to get your question answered quickly!! ***

    Please remember to rate posts! Rate any post you find helpful - even in old threads! Use the link to the left - "Rate this Post".

    Some Informative Links:
    [ SQL Rules to Live By ] [ Reserved SQL keywords ] [ When to use INDEX HINTS! ] [ Passing Multi-item Parameters to STORED PROCEDURES ]
    [ Solution to non-domain Windows Authentication ] [ Crazy things we do to shrink log files ] [ SQL 2005 Features ] [ Loading Pictures from DB ]

    MS MVP 2006, 2007, 2008

  10. #10

    Thread Starter
    Frenzied Member
    Join Date
    Dec 2012
    Posts
    1,128

    Re: Userid question

    I believe that I have resolved the issue. When it came time to add the cookies, I realized that the expiry date was close to being unique. So I added the date/time to local storage.

    J.A. Coutts

  11. #11
    MS SQL Powerposter szlamany's Avatar
    Join Date
    Mar 2004
    Location
    CT
    Posts
    18,087

    Re: Userid question

    Quote Originally Posted by couttsj View Post
    So I added the date/time to local storage.
    But are you not doing that in JS where a browser debugger can see the code? If you could please explain or show some code samples that would make this thread very meaningful. If that's exposing stuff you don't want to show - I understand...

    *** Read the sticky in the DB forum about how to get your question answered quickly!! ***

    Please remember to rate posts! Rate any post you find helpful - even in old threads! Use the link to the left - "Rate this Post".

    Some Informative Links:
    [ SQL Rules to Live By ] [ Reserved SQL keywords ] [ When to use INDEX HINTS! ] [ Passing Multi-item Parameters to STORED PROCEDURES ]
    [ Solution to non-domain Windows Authentication ] [ Crazy things we do to shrink log files ] [ SQL 2005 Features ] [ Loading Pictures from DB ]

    MS MVP 2006, 2007, 2008

  12. #12

    Thread Starter
    Frenzied Member
    Join Date
    Dec 2012
    Posts
    1,128

    Re: Userid question

    Quote Originally Posted by szlamany View Post
    But are you not doing that in JS where a browser debugger can see the code? If you could please explain or show some code samples that would make this thread very meaningful. If that's exposing stuff you don't want to show - I understand...
    I needed a fixed, unique, hidden value to use as a seed for creating a key that is used in shuffling a hash of a password plus salt. That hash is stored as a cookie. In order for a hacker to learn the password, he/she would first have to unshuffle the hash (2.631308369 E+35 possible permutations), and then match the hash to the password (40,320 possible permutations for 8 byte password). Since the hash also contains salt, the permutation count would be much higher. Because the shuffling process is exposed in the script, that process could be used to reduce the permutation count, and that is why the unique value is required.

    Currently, the code exists in several separate steps, and needs to be assembled into a complete package. As I discover what can and can't be done easily in JS, I am still adjusting the individual code examples. What I can do in VB6 in minutes sometimes takes me hours in JS. If there is a particular part of the process that you are interested in, I could post that.
    1. Verify scripts are enabled.
    2. Load "UserName" cookie.
    2A. If not Available then
    Input username
    Create cookie and store "expires" date/time
    3. Load "Password" cookie.
    3A. If not available then
    Input password.
    Calculate Hash.
    Shuffle Hash.
    Create cookie.
    4. If both are available
    Send to server.

    J.A. Coutts

  13. #13

    Thread Starter
    Frenzied Member
    Join Date
    Dec 2012
    Posts
    1,128

    Re: [RESOLVED] Userid question

    I originally used cloudflare to do the hash.
    Code:
        <script src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.9/core.js"></script>
        <script src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.9/sha256.js"></script>
    but it produced a Hex based string, and I needed a byte array. So I switched to crypto.subtle.digest. What I don't know is if this works in browsers other than Firefox. Feedback would be appreciated.

    J.A. Coutts

    Code:
    <html>
    <head>
        <meta charset="utf-8">
    </head>
    <body>
    <script>
    const text = 'password';
    
    async function digestMessage(message) {
      const msgUint8 = new TextEncoder().encode(message);
      const hashBuffer = await crypto.subtle.digest('SHA-256', msgUint8);
      const hashArray = Array.from(new Uint8Array(hashBuffer));
      const hashHex = hashArray.map(b => b.toString(16).padStart(2, '0')).join('');
      return hashHex;
    }
    
    digestMessage(text)
      .then(digestHex => alert(digestHex));
    </script>
    </body>
    </html>

  14. #14

    Thread Starter
    Frenzied Member
    Join Date
    Dec 2012
    Posts
    1,128

    Re: [RESOLVED] Userid question

    Quote Originally Posted by couttsj View Post
    I originally used cloudflare to do the hash.
    Code:
        <script src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.9/core.js"></script>
        <script src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.9/sha256.js"></script>
    but it produced a Hex based string, and I needed a byte array. So I switched to crypto.subtle.digest. What I don't know is if this works in browsers other than Firefox. Feedback would be appreciated.

    J.A. Coutts

    Code:
    <html>
    <head>
        <meta charset="utf-8">
    </head>
    <body>
    <script>
    const text = 'password';
    
    async function digestMessage(message) {
      const msgUint8 = new TextEncoder().encode(message);
      const hashBuffer = await crypto.subtle.digest('SHA-256', msgUint8);
      const hashArray = Array.from(new Uint8Array(hashBuffer));
      const hashHex = hashArray.map(b => b.toString(16).padStart(2, '0')).join('');
      return hashHex;
    }
    
    digestMessage(text)
      .then(digestHex => alert(digestHex));
    </script>
    </body>
    </html>
    I was disappointed that I did not get a response to the question, but I found the answer somewhat by accident searching for something else. Current versions of Chrome, Edge, Firefox, and Opera only support crypto.subtle.digest on HTTPS. Internet Explorer and Safari support it on HTTP as well.

    Not only that, Firefox V92 does not support the cloudflare.com/ajax/ alternative using HTTP. It looks like I have to find a different solution.

    J.A. Coutts
    Last edited by couttsj; Sep 23rd, 2021 at 01:12 PM.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  



Click Here to Expand Forum to Full Width