I have an LC handler that uses sha1 to create an n-character alphanumeric
string based on a hash of an input string and an optional individual password.
I'm not a crypto expert, so I don't know how secure the result is but it may be
useful to somebody. The handler is below, but I have omitted the guts of it
since I don't want the full code archived on the web for access to the
hackerverse. Anyone who wants the full script can email me offlist. The basic
script could be modified to create your own variant. Basically the idea is to
translate the sha1 string into low-ascii characters. Which per the ongoing
discussion doesn't lose much in the way of security.
function getHashCode2 tString, tLength, tPassword
-- returns a tLength-character alphanumeric string (up to 20 chars, default
= 12)
-- that is a hash of the input string,
-- uses SHA-1 for high-end (though not perfect) cryptographic security
-- allows adding a password as input so that the hash can be duplicated only
-- with the correct password
-- if tPassword is empty, the hash is stable and is dependent
-- only on the content of tString
if tLength = empty then put 12 into tLength
try
put sha1digest(tString & tPassword) into tDigest
catch tErr
put md5digest(tString & tPassword) into tDigest
-- if version < 4.5.3
end try
put "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ" \
into codeChars
put length(codeChars) into howManyCodeChars
repeat with i = 1 to the number of chars of tDigest
... <snip> ...
end repeat
repeat with j = 1 to tLength
... <snip> ...
end repeat
return finalCodeString
end getHashCode2
-- Peter
Peter M. Brigham
pmb...@gmail.com
http://home.comcast.net/~pmbrig
On Jun 13, 2012, at 9:47 AM, Richard Gaskin wrote:
> Some apartment buildings use locks which support a master key held by the
> landlord, so that the tenant keys will only unlock their own door but the
> master key will trip enough tumblers to unlock any door in the building.
>
> In your case, having a single hard-wired master key as an "OR" in your script
> might be too dangerous; anyone you send the master key to would then be able
> to unlock any such stack, no only their own.
>
> But perhaps the key you send them would be a hash of some fixed salt string,
> the user name, and the date - it would then only work when applied to the
> user's stack (assuming their user name is stored somewhere in it), and only
> on the date you send it.
>
>
> General tip for anyone using hashes:
>
> MD5 has been known to be theoretically crackable for some years, and this has
> become a reality as noted in recent news:
>
> MD5 password scrambler 'no longer safe'
>
> Summary: The MD5 password hash algorithm is “no longer considered
> safe” by the original software developer, a day after the leak of
> more than 6.4 million hashed LinkedIn passwords.
>
> <http://www.zdnet.com/blog/security/md5-password-scrambler-no-longer-safe/12317>
>
> Fortunately RunRev is on top of things, and several versions back added an
> alternative hash function, "sha1Digest", which is generally considered to be
> a more secure option.
>
> So if any of your code is still using the older "md5Digest" function, it may
> be a good time to migrate to "sha1Digest".
>
> --
> Richard Gaskin
> Fourth World
> LiveCode training and consulting: http://www.fourthworld.com
> Webzine for LiveCode developers: http://www.LiveCodeJournal.com
> Follow me on Twitter: http://twitter.com/FourthWorldSys
>
> _______________________________________________
> use-livecode mailing list
> use-livecode@lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your subscription
> preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode
_______________________________________________
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode
