Osirose II registration script issue

Welcome in the osiRose emulator Project.

Moderators: osRose dev team, ospRose dev team, osiRose dev team, Moderators

Osirose II registration script issue

Postby aerocoke on Sun Apr 22, 2018 11:08 pm

Since it seems that osirose II uses new ways to protect passwords i tried to code a new registration page but when i try to actually connect it tells me the pass is incorrect.

The code works, it will insert data to the account table and it will encrypt the pass.
My guess is that this is not the good way to store Md5 and sha256.

If you have any ideas help would be appreciated :D

Connect.php
  1. <?php
  2. $connection = mysqli_connect('localhost', 'root','','osirose');
  3. // checking if it works
  4.  
  5. if (mysqli_connect_errno()) {
  6.    
  7.     printf("could not connect to the database",mysqli_connect_error());
  8.     exit();
  9.    
  10. }
  11.  
  12. ?>


Register.php
  1. <?php
  2. mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);
  3. error_reporting(E_ALL);
  4. ini_set('display_errors', 1);
  5.  
  6. require('connect.php');
  7.  
  8. //we check if the user already exists (tbd)
  9.  
  10. if (isset($_POST['username']) && isset($_POST['password'])){
  11.  
  12.    
  13.     $username= $_POST['username'] ;
  14.     $passtemp= $_POST['password'] ;
  15.     $password = md5($passtemp);
  16.     $salt = hash('sha256',$passtemp);
  17.    
  18.      // $query = "INSERT INTO 'accounts' (username,password,salt) VALUES ('$username','$password','$salt')" ;
  19.        $sql = "INSERT INTO accounts (username, password, salt) VALUES ('$username', '$password', '$salt')";
  20.         $query = mysqli_query($connection,$sql) ;
  21.        
  22.     if($query)
  23. {
  24. echo "Success executing : $sql";
  25. }
  26. else
  27. {
  28. echo "Failed executing : $sql";
  29. }
  30. }
  31.  
  32.  
  33. ?>
  34.  
aerocoke
Jelly Bean
Jelly Bean
 
Posts: 16
Joined: Wed Feb 24, 2016 2:31 am

Re: Osirose II registration script issue

Postby lazypenguin on Mon Apr 23, 2018 2:48 am

Here is the auth code from osIROSE II (https://github.com/dev-osrose/osIROSE-n ... t.cpp#L107).

After a quick glance the passwords appear to be hashed using SHA256 with a random database per-user generated salt: https://github.com/dev-osrose/osIROSE-n ... e.sql#L396.

Here is what you would do for registration:
- Take user password
- Hash the password using SHA256 and salt from database. Looks like you can use this stored proc to do it in sql directly
  1. SHA2(CONCAT('<THE PASSWORD>', salt), 256


Salt seems to be randomly generated per user for you so would do something like this:

  1.  
  2. $username= $_POST['username'] ;
  3. $password= $_POST['password'] ;
  4. $sql = "INSERT INTO accounts (username, SHA2(CONCAT('password', salt), 256)) values ('$username$', '$password')";
  5.  


Not tested but Raven/L3nn0x can verify.
lazypenguin
Pomic
Pomic
 
Posts: 78
Joined: Mon Aug 10, 2009 6:51 am

Re: Osirose II registration script issue

Postby L3nn0x on Mon Apr 23, 2018 8:59 am

That sounds about right.

You can use the stored SQL procedure directly if you prefer: "call create_account(username, password);" that will do it for you.

Don't hesitate if you have more questions :)
L3nn0x
osiRose dev
osiRose dev
 
Posts: 111
Joined: Wed Oct 21, 2015 8:22 pm

Re: Osirose II registration script issue

Postby aerocoke on Mon Apr 23, 2018 12:17 pm

Ok so there was a BIG misconception on my part it seems.
Being used to the old osrose version i assumed that the second column was a password crypted in md5 and the third one a password crypted by sha256.

I'm not used to salt, still have to wrap my head around it.
aerocoke
Jelly Bean
Jelly Bean
 
Posts: 16
Joined: Wed Feb 24, 2016 2:31 am

Re: Osirose II registration script issue

Postby lazypenguin on Mon Apr 23, 2018 3:33 pm

Salting the hash is just an extra layer of security although I've never seen the salt generated per-user and stored in the database as well. Historically I've only ever seen is stored at the application level. You should definitely use that stored procedure L3nn0x mentioned, I missed it when I was looking at the code.
lazypenguin
Pomic
Pomic
 
Posts: 78
Joined: Mon Aug 10, 2009 6:51 am

Re: Osirose II registration script issue

Postby L3nn0x on Tue Apr 24, 2018 9:58 am

Salting per user means that you can't run a rainbow attack on the database.

If we salted on the application level it wouldn't help since the code is open source and people will always use the default salt :)
L3nn0x
osiRose dev
osiRose dev
 
Posts: 111
Joined: Wed Oct 21, 2015 8:22 pm

Re: Osirose II registration script issue

Postby Totat on Fri Apr 27, 2018 12:17 am

Oh I thought salting passwords on the database was to protect user information so if someone ever gets access to your database the attacker wont be able to straight up grab everyone's passwords
I make animations and 2d effects
Totat
Pomic
Pomic
 
Posts: 75
Joined: Mon Jun 01, 2015 9:15 pm
Location: Discord: Add me! What#7452

Re: Osirose II registration script issue

Postby L3nn0x on Fri Apr 27, 2018 5:36 pm

Not really.

To protect against what you describe, simy hashing the password is fine as it's a one way function that cannot be reverted. We add an additional layer of security with the salt.
L3nn0x
osiRose dev
osiRose dev
 
Posts: 111
Joined: Wed Oct 21, 2015 8:22 pm

Re: Osirose II registration script issue

Postby aerocoke on Wed May 02, 2018 7:58 pm

Ok after reading a bit about salt i now understand why it exist and what it does.
Still i do have some issues with osirose, i must be mistaken on something.

Here is what i do :

  1. if (isset($_POST['username']) && isset($_POST['password'])){
  2.  
  3.    
  4.     $username= $_POST['username'] ; // Setting username
  5.     $salt = uniqid(mt_rand(), true); // Generating the salt
  6.     $password = hash('sha256',$_POST['password'] . $salt);  // we hash using sha256
  7.    
  8.  
  9.        $sql = "INSERT INTO accounts (username, password, salt) VALUES ('$username', '$password', '$salt')";
  10.         $query = mysqli_query($connection,$sql) ;


I also tried the Lazy way of inputing values ( which works too )

  1. if (isset($_POST['username']) && isset($_POST['password'])){
  2.  
  3.    
  4.     $username= $_POST['username'] ; // Setting username
  5.     $salt = uniqid(mt_rand(), true); // Generating the salt
  6.     $password = hash('sha256',$_POST['password'] . $salt);  // we hash using sha256
  7.    
  8.  
  9.        $sql = "INSERT INTO accounts (username, password, salt) VALUES ('$username',SHA2(CONCAT('$password','$salt'),256) , '$salt')";
  10.         $query = mysqli_query($connection,$sql) ;
  11.        
  12.     if($query)
  13.  


Scrip works, it does input the values in the database.
As far as i understand we have to :
-Get the password
-Hash it with sha256
-Generate a salt
-Register the password as "hashed256 + salt" and register the salt in the salt column

Which is i believe what i'm doing yet i get the "incorrect password" each time i try to connect to rose.
What am i doing wrong ?
aerocoke
Jelly Bean
Jelly Bean
 
Posts: 16
Joined: Wed Feb 24, 2016 2:31 am

Re: Osirose II registration script issue

Postby lazypenguin on Wed May 02, 2018 9:36 pm

Does it work when you use the stored procedure ?

  1.  
  2. if (isset($_POST['username']) && isset($_POST['password'])){    
  3.         $username= $_POST['username'] ;
  4.         $password = $_POST['password'];
  5.  
  6.         $sql = "call create_account(${username}, ${password})";
  7.         $query = mysqli_query($connection, $sql) ;
  8.  


I don't know PHP so YMMV...
lazypenguin
Pomic
Pomic
 
Posts: 78
Joined: Mon Aug 10, 2009 6:51 am

Next

Return to Support - OsiRose Emulator

Who is online

Users browsing this forum: No registered users and 4 guests