-
Aug 28th, 2021, 06:07 PM
#1
[RESOLVED] Userid question
In one of my applications I used the user Security ID (SID) to create a key that was used to shuffle the user provided password. Then I hashed the result (SHA-256) to create the actual password. Then I sent the encrypted password to the server for verification.
That was all fine and dandy in VB6, but now I want to do something similar in javascript for a browser. Is there a unique variable in a browser that I can use?
J.A. Coutts
PS. javascript makes me appreciate VB6 much more. It is not easy to work with.
-
Aug 28th, 2021, 06:44 PM
#2
Re: Userid question
JS can make a person appreciate darn near anything. It's a powerful language, but powerfully weird, as well.
My usual boring signature: Nothing
-
Aug 30th, 2021, 05:33 AM
#3
Re: Userid question
So, you are looking to salt and hash the password in the browser - is that the bottom line?
Are your connections always HTTPS?
If it's about obfuscating the password in the HTTP GET/POST - I had a similar question...
https://www.vbforums.com/showthread....-POSt-over-SSL
-
Aug 31st, 2021, 09:08 AM
#4
Re: Userid question
Originally Posted by szlamany
So, you are looking to salt and hash the password in the browser - is that the bottom line?
Are your connections always HTTPS?
If it's about obfuscating the password in the HTTP GET/POST - I had a similar question...
https://www.vbforums.com/showthread....-POSt-over-SSL
By using a unique value from the logged in user, I attempted to provide some degree of protection for the connecting parties password. The password was hashed and then the hashed password was shuffled using the user SID as the key source, and stored in the registry. On the server side, the password hash was shuffled with the servers key and stored in a database. That application used encryption.
Using a browser as the client creates a whole different situation, because the script is not hidden from the hacker. For this particular application I do not want to use encryption, as it is too complex and too slow. That is why I was looking for some variable unique to the user or browser.
J.A. Coutts
-
Sep 1st, 2021, 06:29 AM
#5
Re: Userid question
Are your connections always HTTPS?
-
Sep 1st, 2021, 09:26 AM
#6
Re: Userid question
Originally Posted by szlamany
Are your connections always HTTPS?
The first application that used the Fisher-Yates shuffle was secure, but the one I am currently working on will not be. Neither are used to connect to a standard server over port 443.
J.A. Coutts
-
Sep 2nd, 2021, 12:25 PM
#7
Re: Userid question
Since anything you do in JS is done in the browser, where we have developer and debug tools, how are you going to hide the logic used to work up the password?
-
Sep 2nd, 2021, 03:58 PM
#8
Re: Userid question
Originally Posted by szlamany
Since anything you do in JS is done in the browser, where we have developer and debug tools, how are you going to hide the logic used to work up the password?
That is exactly what I said in post #4. That is why I need a fixed unique hidden value to act as a key source. In a non-browser program, I used the User SID.
J.A. Coutts
-
Sep 2nd, 2021, 04:35 PM
#9
Re: Userid question
I've used a trick of creating a GUID and then using the GUID as a "variable" name. And in this "variable" we held some kind of session token. This was not so much for security, but more or less making sure that if multiple tabs were open you could guarantee the talk back and forth was to the right client.
-
Sep 8th, 2021, 11:30 AM
#10
Re: Userid question
I believe that I have resolved the issue. When it came time to add the cookies, I realized that the expiry date was close to being unique. So I added the date/time to local storage.
J.A. Coutts
-
Sep 8th, 2021, 12:25 PM
#11
Re: Userid question
Originally Posted by couttsj
So I added the date/time to local storage.
But are you not doing that in JS where a browser debugger can see the code? If you could please explain or show some code samples that would make this thread very meaningful. If that's exposing stuff you don't want to show - I understand...
-
Sep 10th, 2021, 10:32 AM
#12
Re: Userid question
Originally Posted by szlamany
But are you not doing that in JS where a browser debugger can see the code? If you could please explain or show some code samples that would make this thread very meaningful. If that's exposing stuff you don't want to show - I understand...
I needed a fixed, unique, hidden value to use as a seed for creating a key that is used in shuffling a hash of a password plus salt. That hash is stored as a cookie. In order for a hacker to learn the password, he/she would first have to unshuffle the hash (2.631308369 E+35 possible permutations), and then match the hash to the password (40,320 possible permutations for 8 byte password). Since the hash also contains salt, the permutation count would be much higher. Because the shuffling process is exposed in the script, that process could be used to reduce the permutation count, and that is why the unique value is required.
Currently, the code exists in several separate steps, and needs to be assembled into a complete package. As I discover what can and can't be done easily in JS, I am still adjusting the individual code examples. What I can do in VB6 in minutes sometimes takes me hours in JS. If there is a particular part of the process that you are interested in, I could post that.
1. Verify scripts are enabled.
2. Load "UserName" cookie.
2A. If not Available then
Input username
Create cookie and store "expires" date/time
3. Load "Password" cookie.
3A. If not available then
Input password.
Calculate Hash.
Shuffle Hash.
Create cookie.
4. If both are available
Send to server.
J.A. Coutts
-
Sep 11th, 2021, 04:09 PM
#13
Re: [RESOLVED] Userid question
I originally used cloudflare to do the hash.
Code:
<script src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.9/core.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.9/sha256.js"></script>
but it produced a Hex based string, and I needed a byte array. So I switched to crypto.subtle.digest. What I don't know is if this works in browsers other than Firefox. Feedback would be appreciated.
J.A. Coutts
Code:
<html>
<head>
<meta charset="utf-8">
</head>
<body>
<script>
const text = 'password';
async function digestMessage(message) {
const msgUint8 = new TextEncoder().encode(message);
const hashBuffer = await crypto.subtle.digest('SHA-256', msgUint8);
const hashArray = Array.from(new Uint8Array(hashBuffer));
const hashHex = hashArray.map(b => b.toString(16).padStart(2, '0')).join('');
return hashHex;
}
digestMessage(text)
.then(digestHex => alert(digestHex));
</script>
</body>
</html>
-
Sep 23rd, 2021, 12:54 PM
#14
Re: [RESOLVED] Userid question
Originally Posted by couttsj
I originally used cloudflare to do the hash.
Code:
<script src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.9/core.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.9/sha256.js"></script>
but it produced a Hex based string, and I needed a byte array. So I switched to crypto.subtle.digest. What I don't know is if this works in browsers other than Firefox. Feedback would be appreciated.
J.A. Coutts
Code:
<html>
<head>
<meta charset="utf-8">
</head>
<body>
<script>
const text = 'password';
async function digestMessage(message) {
const msgUint8 = new TextEncoder().encode(message);
const hashBuffer = await crypto.subtle.digest('SHA-256', msgUint8);
const hashArray = Array.from(new Uint8Array(hashBuffer));
const hashHex = hashArray.map(b => b.toString(16).padStart(2, '0')).join('');
return hashHex;
}
digestMessage(text)
.then(digestHex => alert(digestHex));
</script>
</body>
</html>
I was disappointed that I did not get a response to the question, but I found the answer somewhat by accident searching for something else. Current versions of Chrome, Edge, Firefox, and Opera only support crypto.subtle.digest on HTTPS. Internet Explorer and Safari support it on HTTP as well.
Not only that, Firefox V92 does not support the cloudflare.com/ajax/ alternative using HTTP. It looks like I have to find a different solution.
J.A. Coutts
Last edited by couttsj; Sep 23rd, 2021 at 01:12 PM.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
Click Here to Expand Forum to Full Width
|