Page 2 of 2 FirstFirst 12
Results 41 to 43 of 43

Thread: [RESOLVED] Insert new user into usertable using cast(aes_decrypt for MySQL to hashing

  1. #41

    Thread Starter
    Fanatic Member
    Join Date
    Mar 2024
    Posts
    874

    Re: [RESOLVED] Insert new user into usertable using cast(aes_decrypt for MySQL and Ma

    Ok, here is that sub using client side salted hashing.
    And Plausibly Damp, the condensed function works fine, much thanks.
    I kept the random bytes function server side.

    Will keep both client and server side in the code as examples.
    I don't need the 'allow user variables= true' but it is another code example and does not hurt anything.

    Code:
       Private Sub loadcombobox()
    
    
    
           Dim ConStrUserVar As String = frmlogonConnectstring & "Allow User Variables=True;"
           Dim conn As New MySqlConnection(ConStrUserVar)
           Dim PwordAes, PrivilAes As String
           Dim Xx As Integer = 0
           Dim hashsalt, hashpass, hashpriv, saltedhash, hashcomparepriv As String
           hashsalt = ""
           hashpass = ""
           hashpriv = ""
           hashcomparepriv = ""
    
           'to test a user for all priv, need only one!! make sure one exist.
           'load combo1 and make sure someone has all admin priveliges
           Combo1.Items.Clear()
    
           Try
               Using conn
                   conn.Open()
                   Dim cmd1 As New MySqlCommand
                   cmd1.Connection = conn
                   '  cmd1.CommandText = "DROP TABLE IF EXISTS usertable"
                   '  cmd1.ExecuteNonQuery()
                   'create user table
                   ' cmd1.CommandText = "CREATE TABLE IF NOT EXISTS usertable " & "(Id INT AUTO_INCREMENT PRIMARY KEY," & "MyName VARCHAR(50) DEFAULT ''," & "Myuser VARCHAR(50) DEFAULT ''," & "password VARCHAR(50) DEFAULT ''," & "Priveliges CHAR (21) DEFAULT ''," & "UserDate DATETIME DEFAULT CURRENT_TIMESTAMP, " & "password_aes varchar(150), " & "priv_aes varchar(150), " & "salt2 varchar(20)) ENGINE = INNODB"
                   ' cmd1.ExecuteNonQuery()
    
                   ' cmd1.CommandText = "CREATE INDEX MyuserIndex On usertable(Myuser)"
                   'cmd1.ExecuteNonQuery()
    
                   'add the names to combobox as in loop till it is full from uertable
                   'need to figure out the hash for = "A11111111111111111111"  & the stored salt2 in the retrieved row
                   'will be different every time as salt2 changes for every row
                   'hash A1111111111111111 & salt2 value and compare to stored hash, if matches then someone has all privs.
    
                   cmd1.CommandText = "Select myuser, priv_aes, salt2 from usertable"
    
                   Using RDR = cmd1.ExecuteReader()
                       Do While RDR.Read
                           Combo1.Items.Add(RDR.Item("MYUser").ToString())
                           'get priv hash
                           hashpriv = RDR.Item("priv_aes").ToString()
                           hashcomparepriv = RDR.Item("salt2").ToString()
    
                           'test for one user needs to be full admin
                           hashcomparepriv = PWDhash("A11111111111111111111" & hashcomparepriv)
    
                           If hashcomparepriv = hashpriv Then Xx += 1
                       Loop
                   End Using
    
                   If Xx = 0 Then 'as in no one has all privileges
                       'Insert new user id
                       Dim MyName As String = "New"
                       MyUserID = "New"
                       pword = ""
                       priv = "" '21chars long
                       PwordAes = "New"
                       PrivilAes = "A11111111111111111111"
    
                       cmd1.CommandText = "Select Hex(RANDOM_BYTES(10))" 'this makes a string 20 chars long
                       Using RDR = cmd1.ExecuteReader()
                           If RDR.Read Then hashsalt = RDR.Item("Hex(RANDOM_BYTES(10))").ToString()
                       End Using
    
                       'append salt to create a salted hash for password
                       hashpass = PWDhash("New" & hashsalt)
    
                       'append salt to create a salted hash for priveliges
                       hashpriv = PWDhash("A11111111111111111111" & hashsalt)
    
    
                       'now we have hashpass, hashpriv, hashsalt to insert into a row
                       cmd1.CommandText = "Insert into usertable (myname, myuser, password, priveliges, userdate, password_aes, priv_aes, salt2) VALUES ('New', 'New', '', '', '" & DateTime.Now.ToString("yyyy-MM-dd HH:mm:ss") & "', '" & hashpass & "', '" & hashpriv & "', '" & hashsalt & "')"
                       cmd1.ExecuteNonQuery()
                       Combo1.Items.Add("New")
                   End If
               End Using
           Catch ex As Exception
               Dim msg = ex.ToString()
               MsgBox(msg,  , "Error")
           End Try
       End Sub

  2. #42

    Thread Starter
    Fanatic Member
    Join Date
    Mar 2024
    Posts
    874

    Re: [RESOLVED] Insert new user into usertable using cast(aes_decrypt for MySQL to has

    I got carried away with hashing too much by hashing the privileges, which I can't decrypt for use in the program.

    Rejiggered again the table and sub to just encrypt and decrypt them and still hash passwords.

    I create 2 different salts, one for password hashes, other as the password for the privilege encryption, and stored in the row.
    Bet that causes a hacker some bewilderment as to what salt does what to whom and how.

    Privileges encryption is more like an obfuscation, not super critical, just to sort of hide it from any casual snoopers.
    It does not matter if someone decrypts them if they have no access to the database.

    Code:
     Private Sub loadcombobox()
    
    
    
         Dim ConStrUserVar As String = frmlogonConnectstring & "Allow User Variables=True;"
         Dim conn As New MySqlConnection(ConStrUserVar)
         Dim PwordAes, PrivilAes As String
         Dim Xx As Integer = 0
         Dim hashsalt1, hashsalt2, hashpass, hashpriv, saltedhash, hashcomparepriv As String
         hashsalt1 = ""
         hashsalt2 = ""
         hashpass = ""
         hashpriv = ""
         hashcomparepriv = ""
    
         'to test a user for all priv, need only one!! make sure one exist.
         'load combo1 and make sure someone has all admin priveliges
         Combo1.Items.Clear()
    
         Try
             Using conn
                 conn.Open()
                 Dim cmd1 As New MySqlCommand
                 cmd1.Connection = conn
                 ' cmd1.CommandText = "DROP TABLE IF EXISTS usertable"
                 ' cmd1.ExecuteNonQuery()
                 'create user table
                 ' cmd1.CommandText = "CREATE TABLE IF NOT EXISTS usertable (Id INT AUTO_INCREMENT PRIMARY KEY, MyName VARCHAR(50) DEFAULT '', Myuser VARCHAR(50) DEFAULT '', password VARCHAR(50) DEFAULT '', Priveliges CHAR (21) DEFAULT '', UserDate DATETIME DEFAULT CURRENT_TIMESTAMP, password_aes varchar(150) DEFAULT '', priv_aes varchar(150) DEFAULT '', salt1 varchar(20) DEFAULT '', salt2 varchar(20) DEFAULT '') ENGINE = INNODB"
                 ' cmd1.ExecuteNonQuery()
    
                 ' cmd1.CommandText = "CREATE INDEX MyuserIndex On usertable(Myuser)"
                 'cmd1.ExecuteNonQuery()
    
                 'add the names to combobox as in loop till it is full from uertable
                 'need to figure out the hash for = "A11111111111111111111"  & the stored salt2 in the retrieved row
                 'will be different every time as salt2 changes for every row
                 'hash A1111111111111111 & salt2 value and compare to stored hash, if matches then someone has all privs.
    
                 cmd1.CommandText = "Select myuser, cast(aes_decrypt(priv_aes, salt2) AS char) as HashA1 from usertable"
    
                 Using RDR = cmd1.ExecuteReader()
                     Do While RDR.Read
                         Combo1.Items.Add(RDR.Item("MYUser").ToString())
                         'decrypt priv 
                         hashpriv = RDR.Item("HashA1").ToString()
                         'test for one user needs to be full admin
                         If hashpriv = "A11111111111111111111" Then Xx += 1
                     Loop
                 End Using
    
                 If Xx = 0 Then 'as in no one has all privileges
                     'Insert new user id
                     Dim MyName As String = "New"
                     MyUserID = "New"
                     pword = ""
                     priv = "" '21chars long
                     PwordAes = "New"
                     PrivilAes = "A11111111111111111111"
    
                     cmd1.CommandText = "Select Hex(RANDOM_BYTES(10))" 'this makes a string 20 chars long
                     Using RDR = cmd1.ExecuteReader()
                         If RDR.Read Then hashsalt1 = RDR.Item("Hex(RANDOM_BYTES(10))").ToString()
                     End Using
    
                     Using RDR = cmd1.ExecuteReader()
                         If RDR.Read Then hashsalt2 = RDR.Item("Hex(RANDOM_BYTES(10))").ToString()
                     End Using
    
    
                     'append salt to create a salted hash for password
                     hashpass = PWDhash("New" & hashsalt1)
    
                     'now we have hashpass, hashpriv, hashsalt to insert into a row                                                                                                                                                                                                                         
                     cmd1.CommandText = "Insert into usertable (myname, myuser, password, priveliges, userdate, password_aes, priv_aes, salt1, salt2) VALUES ('New', 'New', '', '', '" & DateTime.Now.ToString("yyyy-MM-dd HH:mm:ss") & "', '" & hashpass & "', AES_ENCRYPT('A11111111111111111111', '" & hashsalt2 & "'), '" & hashsalt1 & "', '" & hashsalt2 & "')"
                     cmd1.ExecuteNonQuery()
                     Combo1.Items.Add("New")
                 End If
             End Using
         Catch ex As Exception
             Dim msg = ex.ToString()
             MsgBox(msg,  , "Error")
         End Try
     End Sub

  3. #43

    Thread Starter
    Fanatic Member
    Join Date
    Mar 2024
    Posts
    874

    Re: [RESOLVED] Insert new user into usertable using cast(aes_decrypt for MySQL to has

    Did find I can also spike it with some added on goofy text to make for a very unique salt 2 encrypt-decrypt for the privileges, that way no one can just use salt2 value to decrypt privileges as I am storing salt2 in the same row.
    Like anyone would actually do that anyway , and it would do them no good regrdless.
    That privilege string does nothing with MySQL server, all it does is turn off and on visbility of menu options and buttons, etc... inside the program

    like this

    Code:
    MariaDB [booksgood]> update usertable set priv_aes = aes_encrypt('dddd',concat(salt2,'aHa*8fooeytoyou2e!'));
    Query OK, 1 row affected (0.002 sec)
    Rows matched: 1  Changed: 1  Warnings: 0
    
    MariaDB [booksgood]> Select myuser, cast(aes_decrypt(priv_aes, concat(salt2,'aHa*8fooeytoyou2e!')) AS char) as HashA1 from usertable;
    +--------+--------+
    | myuser | HashA1 |
    +--------+--------+
    | New    | dddd   |
    +--------+--------+
    1 row in set (0.000 sec)
    
    MariaDB [booksgood]>
    editing, I am just documenting in case I lose it
    to add in some obscure goofy text like this to the random_bytes so none can just decrypt privileges easily
    I got to have the priv string decrypted to make the program function for various users.

    the commands are this for the reader

    Code:
      cmd1.CommandText = "Select myuser, cast(aes_decrypt(priv_aes, concat(salt2,'aHa*8fooeytoyou2e!')) AS char) as HashA1 from usertable"
    and this for the insert

    Code:
        cmd1.CommandText = "Insert into usertable (myname, myuser, password, priveliges, userdate, password_aes, priv_aes, salt1, salt2) VALUES ('New', 'New', 'pass', 'priv', '" & DateTime.Now.ToString("yyyy-MM-dd HH:mm:ss") & "', '" & hashpass & "', AES_ENCRYPT('A11111111111111111111', CONCAT('" & hashsalt2 & "','aHa*8fooeytoyou2e!')), '" & hashsalt1 & "', '" & hashsalt2 & "')"
    Last edited by sdowney1; Jun 13th, 2024 at 05:15 PM.

Page 2 of 2 FirstFirst 12

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  



Click Here to Expand Forum to Full Width