Salted Md5 Hashing Scheme Hash

Salted Md5 Hashing Scheme Hash

SALTED MD5 HASHING SCHEME HASH Hash algorithms map binary values of an arbitrary length to small binary values of a fixed length, known as hash values. A hash value is a unique and extremely compact numerical representation of a piece of data. If you hash a paragraph of plaintext and change even one letter of the paragraph, then a subsequent hash will produce a different value. It is computationally improbable to find two distinct inputs that hash to the same value. A hash value is also known as a Message digest. SHA1, MD5 etc. are Hash Algorithms. MD5 MD5 algorithm takes as input a message of arbitrary length and produces as output a 128-bit "fingerprint" or "message digest" of the input. It is conjectured that it is computationally infeasible to produce two messages having the same message digest, or to produce any message having a given prespecified target message digest. MD5 abc 900150983cd24fb0d6963f7d28e17f72 Algorithm Message Message digest of hash value or input Application of MD5 to encrypt passwords Web applications suffer from the vulnerability that the credentials travelling in clear text can be sniffed from the network. The credentials can also be detected with the help of memory editing tools on shared systems which are used to access the authentication web pages. For the issue of password travelling in clear text, the solution is to implement the salted MD5 technique. If only MD5 of the password was submitted, tests in the lab have shown that it is possible to replay the hashed password ( i.e once a hash of the submitted password is generated, this can be copied and pasted repeatedly ). Hence salted MD5 hash of the password can be submitted. In this case the password will not be same every time the salted md5 password is submitted to the server since the salt ( which is a random numbe) changes every time, the salted hashed password also changes every time. The pre-requisite to this is that the backend database stores a MD5 hash of the password. When a client requests for the login page, the server generates a random number, the salt, and sends it to the client along with the page. A JavaScript code on the client computes the MD5 hash of the password entered by the user. It then concatenates the salt to the hash and re-computes the MD5 hash. This result is then sent to the server. The server picks the hash of the password from its database, concatenates the salt and computes the MD5 hash. If the user 1 entered the correct password these two hashes should match. The server compares the two and if they match, the user is authenticated. A step by step illustration of the salted MD5 is as follows: 1: The client makes a request for a web page, which can be accessed only after authentication. Client Browser Server Request for Protected Resource 2: The server sends the authentication page for e.g. Login.html and it also sends a randomly generated string or a number also known as salt or seed. Client Browser Server Salt + Authentication Page 3: Client types the user name and password in the login page. Client Submits User Name and Password User Name useer Password OK 4: A client side code on the login page performs the computation to generate a salted MD5 password. This code may be implemented using Javascript code, vbscript code or a java applet etc. Computation done on client side: - A=MD5Hash (Salt + MD5hash (Password)) 2 5: The client submits the user id or login id and the computed salted hash password to the server. Server User Name + A 6: • Application on the server obtains the salt or seed that was sent to the client earlier. • Application retrieves the hashed password from the login database for the user id submitted. The passwords are stored in hashed form and not as clear text in the database. Hashed Password • The application uses the salt and the hashed password to compute the salted hashed password. B=MD5Hash (Salt + Hashed Password) 7: Comparison performed by server application. • If A = B, it is established that the client holds the password corresponding to the salted hashed password submitted to the server. The server then allots an authenticated session to the user. Client Browser Server Authenticated Session 8: This session persists or is valid till the user logs out or the session time out due to inactivity. 9: The session life cycle should be managed with care. 3 Implementation of Salted MD5 in ASP.Net and Javascript – Sample Code For the above login application developed using ASP.Net and Javascript, the salted MD5 is implemented. The code for client and server side of the program is shown below. Code on client side The program uses a md5.js file. This file is written by Henry Torgemen and can be downloaded from the Internet. <%@ Page Language="vb" AutoEventWireup="false" codebehind="WebForm3.aspx.vb" Inherits="Dipti.WebForm3" %> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML> <HEAD> <title>WebForm3</title> <script language="Javascript" src="md5.js"> </script> <SCRIPT language="Javascript"> history.go(1); // disable the browser's back button 4 function md5auth(seed) { var username = document.forms[0].TextBox1.value; var rexp = /^\w+$/; if ( username.length = 0 || username.length > 10 ) { alert("Please enter valid username"); document.forms[0].TextBox1.focus(); return -1; } if ( username.search(rexp) == -1) { alert("Please enter valid username"); document.forms[0].TextBox1.focus(); return -1; } var password = document.forms[0].Password1.value; if ( password.length = 0 || password.length > 10 ) { alert("Please enter valid password"); document.forms[0].TextBox2.focus(); return -1; } if ( password.search(rexp) == -1) { alert("Please enter valid password"); document.forms[0].TextBox2.focus(); return -1; } var hash = MD5(seed+password); document.forms[0].hash.value=hash; return true; } 5 </SCRIPT> </HEAD> <form id="Form1" method="post" runat="server"> <body MS_POSITIONING="GridLayout" bgColor="#ccccff"> <asp:label id="Label6" style="Z-INDEX: 108; LEFT: 296px; POSITION: absolute; TOP: 128px" runat="server" ForeColor="Blue" Font-Size="Large" Font-Bold="True" Width="112px">UserName :</asp:label> <INPUT id="Password1" style="Z-INDEX: 113; LEFT: 416px; WIDTH: 223px; POSITION: absolute; TOP: 176px; HEIGHT: 24px" tabIndex="2" type="password" size="31" name="Password1" runat="server"> <MARQUEE style="FONT-WEIGHT: bold; FONT-SIZE: 20pt; Z-INDEX: 112; LEFT: 160px; WIDTH: 676px; COLOR: white; POSITION: absolute; TOP: 56px; HEIGHT: 32px; BACKGROUND-COLOR: purple" behavior="alternate">Login Screen</MARQUEE> <asp:label id="Label5" style="Z-INDEX: 102; LEFT: 296px; POSITION: absolute; TOP: 176px" runat="server" ForeColor="Blue" Font-Size="Large" Font-Bold="True" Width="96px">Password:</asp:label> <asp:textbox id="TextBox1" style="Z-INDEX: 100; LEFT: 416px; POSITION: absolute; TOP: 136px" runat="server" Height="24px" Width="224px"></asp:label> <asp:label id="Label1" style="Z-INDEX: 103; LEFT: 440px; POSITION: absolute; TOP: 272px" runat="server" Font-Size="Larger" Width="336px" Height="24px" ForeColor="Blue"></asp:label> <asp:label id="Label3" style="Z-INDEX: 105; LEFT: 200px; POSITION: absolute; TOP: 272px" runat="server" Font-Size="Larger" Width="200px" ForeColor="Blue">Computed hash on client</asp:label> <asp:label id="Label4" style="Z-INDEX: 106; LEFT: 200px; POSITION: absolute; TOP: 312px" runat="server" Font-Size="Larger" Width="200px" ForeColor="Blue">Computed hash on server</asp:label> <asp:Label id="Label7" style="Z-INDEX: 109; LEFT: 320px; POSITION: absolute; TOP: 360px" runat="server" Width="344px" ForeColor="Blue">Label</asp:label> <INPUT style="Z-INDEX: 110; LEFT: 8px; WIDTH: 144px; POSITION: absolute; TOP: 8px; HEIGHT: 22px" type="hidden" size="18" name="hash"> <asp:Button id="Button1" style="Z-INDEX: 111; LEFT: 416px; POSITION: absolute; TOP: 216px" runat="server" Width="88px" Font-Bold="True" ForeColor="Blue" Text="OK" BorderColor="#0000C0" BackColor="#FFFFC0" BorderStyle="Solid"> </asp:Button> <form> </body> </HTML> 6 Code on server side Imports System.Web.Security.FormsAuthentication Public Class WebForm3 Inherits System.Web.UI.Page Dim rno As Integer Private Sub Page_Load(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles MyBase.Load 'Put user code to initialize the page here If Not IsPostBack Then Session.Add("rno", 0) Dim randomclass As New Random Session("rno") = randomclass.Next() rno = Session("rno") End If Button1.Attributes.Add("onclick", "javascript:md5auth(" & rno & ");") End Sub Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button1.Click Label2.Text = "hi" Dim strHash As String rno = Session("rno") Dim str As String = rno.ToString + Trim(Password1.Value) strHash = system.Web.Security.FormsAuthentication.HashPasswordForStoringInConfigFile(str, "MD5") Label2.Text = strHash Label1.Text = Request.Form("hash") If Trim(Label1.Text) = Trim(LCase(Label2.Text)) Then Label7.Text = "Strings are equal" End If End Sub End Class 7.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    7 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us