osROSE Forums

The official osROSE forums
http://forum.dev-osrose.com/

Osirose II registration script issue

http://forum.dev-osrose.com/viewtopic.php?f=22&t=5962

Page 1 of 2

Osirose II registration script issue

PostPosted: Sun Apr 22, 2018 11:08 pm
by aerocoke
Since it seems that osirose II uses new ways to protect passwords i tried to code a new registration page but when i try to actually connect it tells me the pass is incorrect.

The code works, it will insert data to the account table and it will encrypt the pass.
My guess is that this is not the good way to store Md5 and sha256.

If you have any ideas help would be appreciated :D

Connect.php
Line number On/Off | Expand/Contract | Select all
  1. <?php
  2. $connection = mysqli_connect('localhost', 'root','','osirose');
  3. // checking if it works
  4.  
  5. if (mysqli_connect_errno()) {
  6.    
  7.     printf("could not connect to the database",mysqli_connect_error());
  8.     exit();
  9.    
  10. }
  11.  
  12. ?>


Register.php
Line number On/Off | Expand/Contract | Select all
  1. <?php
  2. mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);
  3. error_reporting(E_ALL);
  4. ini_set('display_errors', 1);
  5.  
  6. require('connect.php');
  7.  
  8. //we check if the user already exists (tbd)
  9.  
  10. if (isset($_POST['username']) && isset($_POST['password'])){
  11.  
  12.    
  13.     $username= $_POST['username'] ;
  14.     $passtemp= $_POST['password'] ;
  15.     $password = md5($passtemp);
  16.     $salt = hash('sha256',$passtemp);
  17.    
  18.      // $query = "INSERT INTO 'accounts' (username,password,salt) VALUES ('$username','$password','$salt')" ;
  19.        $sql = "INSERT INTO accounts (username, password, salt) VALUES ('$username', '$password', '$salt')";
  20.         $query = mysqli_query($connection,$sql) ;
  21.        
  22.     if($query)
  23. {
  24. echo "Success executing : $sql";
  25. }
  26. else
  27. {
  28. echo "Failed executing : $sql";
  29. }
  30. }
  31.  
  32.  
  33. ?>
  34.  

Re: Osirose II registration script issue

PostPosted: Mon Apr 23, 2018 2:48 am
by lazypenguin
Here is the auth code from osIROSE II (https://github.com/dev-osrose/osIROSE-n ... t.cpp#L107).

After a quick glance the passwords appear to be hashed using SHA256 with a random database per-user generated salt: https://github.com/dev-osrose/osIROSE-n ... e.sql#L396.

Here is what you would do for registration:
- Take user password
- Hash the password using SHA256 and salt from database. Looks like you can use this stored proc to do it in sql directly
Line number On/Off | Expand/Contract | Select all
  1. SHA2(CONCAT('<THE PASSWORD>', salt), 256


Salt seems to be randomly generated per user for you so would do something like this:

Line number On/Off | Expand/Contract | Select all
  1.  
  2. $username= $_POST['username'] ;
  3. $password= $_POST['password'] ;
  4. $sql = "INSERT INTO accounts (username, SHA2(CONCAT('password', salt), 256)) values ('$username$', '$password')";
  5.  


Not tested but Raven/L3nn0x can verify.

Re: Osirose II registration script issue

PostPosted: Mon Apr 23, 2018 8:59 am
by L3nn0x
That sounds about right.

You can use the stored SQL procedure directly if you prefer: "call create_account(username, password);" that will do it for you.

Don't hesitate if you have more questions :)

Re: Osirose II registration script issue

PostPosted: Mon Apr 23, 2018 12:17 pm
by aerocoke
Ok so there was a BIG misconception on my part it seems.
Being used to the old osrose version i assumed that the second column was a password crypted in md5 and the third one a password crypted by sha256.

I'm not used to salt, still have to wrap my head around it.

Re: Osirose II registration script issue

PostPosted: Mon Apr 23, 2018 3:33 pm
by lazypenguin
Salting the hash is just an extra layer of security although I've never seen the salt generated per-user and stored in the database as well. Historically I've only ever seen is stored at the application level. You should definitely use that stored procedure L3nn0x mentioned, I missed it when I was looking at the code.

Re: Osirose II registration script issue

PostPosted: Tue Apr 24, 2018 9:58 am
by L3nn0x
Salting per user means that you can't run a rainbow attack on the database.

If we salted on the application level it wouldn't help since the code is open source and people will always use the default salt :)

Re: Osirose II registration script issue

PostPosted: Fri Apr 27, 2018 12:17 am
by Totat
Oh I thought salting passwords on the database was to protect user information so if someone ever gets access to your database the attacker wont be able to straight up grab everyone's passwords

Re: Osirose II registration script issue

PostPosted: Fri Apr 27, 2018 5:36 pm
by L3nn0x
Not really.

To protect against what you describe, simy hashing the password is fine as it's a one way function that cannot be reverted. We add an additional layer of security with the salt.

Re: Osirose II registration script issue

PostPosted: Wed May 02, 2018 7:58 pm
by aerocoke
Ok after reading a bit about salt i now understand why it exist and what it does.
Still i do have some issues with osirose, i must be mistaken on something.

Here is what i do :

Line number On/Off | Expand/Contract | Select all
  1. if (isset($_POST['username']) && isset($_POST['password'])){
  2.  
  3.    
  4.     $username= $_POST['username'] ; // Setting username
  5.     $salt = uniqid(mt_rand(), true); // Generating the salt
  6.     $password = hash('sha256',$_POST['password'] . $salt);  // we hash using sha256
  7.    
  8.  
  9.        $sql = "INSERT INTO accounts (username, password, salt) VALUES ('$username', '$password', '$salt')";
  10.         $query = mysqli_query($connection,$sql) ;


I also tried the Lazy way of inputing values ( which works too )

Line number On/Off | Expand/Contract | Select all
  1. if (isset($_POST['username']) && isset($_POST['password'])){
  2.  
  3.    
  4.     $username= $_POST['username'] ; // Setting username
  5.     $salt = uniqid(mt_rand(), true); // Generating the salt
  6.     $password = hash('sha256',$_POST['password'] . $salt);  // we hash using sha256
  7.    
  8.  
  9.        $sql = "INSERT INTO accounts (username, password, salt) VALUES ('$username',SHA2(CONCAT('$password','$salt'),256) , '$salt')";
  10.         $query = mysqli_query($connection,$sql) ;
  11.        
  12.     if($query)
  13.  


Scrip works, it does input the values in the database.
As far as i understand we have to :
-Get the password
-Hash it with sha256
-Generate a salt
-Register the password as "hashed256 + salt" and register the salt in the salt column

Which is i believe what i'm doing yet i get the "incorrect password" each time i try to connect to rose.
What am i doing wrong ?

Re: Osirose II registration script issue

PostPosted: Wed May 02, 2018 9:36 pm
by lazypenguin
Does it work when you use the stored procedure
Line number On/Off | Expand/Contract | Select all
  1. create_account
?

Line number On/Off | Expand/Contract | Select all
  1.  
  2. if (isset($_POST['username']) && isset($_POST['password'])){    
  3.         $username= $_POST['username'] ;
  4.         $password = $_POST['password'];
  5.  
  6.         $sql = "call create_account(${username}, ${password})";
  7.         $query = mysqli_query($connection, $sql) ;
  8.  


I don't know PHP so YMMV...
All times are UTC [ DST ]
Page 1 of 2
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
http://www.phpbb.com/