On 26 Nov 2013, at 2:05 AM, Mchurch <[email protected]> wrote: > Dear all, I'm a little bit lost with Crypto method. > I need authentication from a mobile app towards web2py. > If I'm not in wrong, web2py now uses sha512 as default to crypt auth user > password. > From my iOS app I'm sending the password encrypted with the same Hash > Algorithm sha512, because I don't want to send the password clear through the > net > From web2py console I can do: > > b='sha512$$83d97b71499bee6b9d42dee9d3a6e5d00ecc8c891346d25d1909b3aac9abaa0ad4864fe4eacf159cd3f4a0ad764178d014ac378dfffc5e4023f6dbcfb0992648' > > where b is exactly my mobile password string that I'm sending to web2py > trough "Json" > > >>> b > > 'sha512$$83d97b71499bee6b9d42dee9d3a6e5d00ecc8c891346d25d1909b3aac9abaa0ad4864fe4eacf159cd3f4a0ad764178d014ac378dfffc5e4023f6dbcfb0992648' > > > >>> a= CRYPT(digest_alg='sha512',salt=False)('pippo')[0] > > now ,if I do a==b, it returns True > > The problem is that I'm not able to compare auth.user password with my mobile > password! > > Both are encrypted, with the same algorithm, but auth.login_bare(user,psw) > returns alway false because it wants clear-password > > The solution to me appears that I have to compare the two encrypted password, > but may be on the wrong way. > > Help please...
Briefly: you don't want to do that. Why? In the scheme you propose, the hash effective becomes the password, and is stored as-if unhashed in the database, to be compared directly with what comes in over the wire. So if your database is compromised, the attacker can log into any account simply by presenting the password (hash) stored in the database. Compare that to the usual method, where the user transmits the password: the point of the hash is that the password cannot be reverse-engineered from the hash (if it's a good password!). Protecting the password in flight is easy enough: use https. -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
