I've never used md5 format and i don't know how to decode it to get the string that is in response. How can i get the string from the md5 format?
I'm using swift language on Xcode for iOS app development. If there is any library that can be used please do suggest it.
TIA
That's why its MD5 hashing. You cannot decode it. It is more secured than simple string. Few years ago all passwords were encoded to MD5 because of security.
You can't decode MD5. What you can do instead is comparing the MD5 string from your JSON with a MD5(stringInYourApp). That means that if you want to compare the user input (for example) and the MD5 from your JSON you'll have to :
Make a MD5 version of user input string (see here for how to)
Compare it with the MD5 from JSON
You cannot see the original string from a MD5 hash.
Related
I've been going around in circles from Apple's CCCrypto docs, frameworks and other SO answers and am not making any headway.
I think I need to figure out how to get a IV from an encrypted string that I receive.
I receive a JSON payload which contains a String. That string is encrypted in AES-256-CBC. (From a Laravel PHP instance that I think uses OpenSSL). The string itself, decrypted, is another JSON object.
I have a pre-defined key.
The string I receive looks something like:
eJahdkawWKajashwlkwAkajsne8ehAhdhsiwkdkdhwNIEhHEheLlwhwlLLLLhshnNWhwhabwiIWHWHwh=
(but is a lot longer).
I'm trying to use this answer here: Issue using CCCrypt (CommonCrypt) in Swift
But am a) unsure if I'm properly converting the string to data and b) how to get the IV (initialization vector) from the string I receive.
Using that answer I do get "success" however when I try to pass it to the NSJSONSerailizer I never got a good result (it always fails) but I do get data out - I think it's garbage.
Edit:
I really mis-understood my original problem - I was receiving a base64 encoded string that I needed to decode into JSON (which went fine). Then using the linked answer and importing CommonCrypto I thought I'd be able to get usable data but I am not. #Rob Napier 's answer is extremely helpful. I think my problem is that the instance of laravel in question is using OpenSSL.
There is no really commonly used standard format for AES encrypted data (there are several "standard formats" but they're not commonly used....) The only way to know how the data you have is encrypted is to look at the documentation for the data format, or failing that, the encrypting code itself.
In good encryption formats, the IV is sent along with the data. But in many common (insecure) formats, there is a hard-coded IV (sometimes 16 bytes of 0x00). If there's a password, you also need to find out how they've converted the password to a key (there are several ways to do this, some good, some horrible). In a good format, the key derivation may include some random "salt" that you need to extract from the data. You'll also need to know if there is an HMAC or similar authentication (which might be stored at the beginning or the end of the data, and may include its own salt).
There just isn't any good way to know without documentation from the sender. Any decently encrypted format is going to look like random noise, so figuring it out just by looking at the final message is pretty hard.
If this comes out of Laravel's encrypt function, then that seems to be ultimately this code:
public function encrypt($value)
{
$iv = mcrypt_create_iv($this->getIvSize(), $this->getRandomizer());
$value = base64_encode($this->padAndMcrypt($value, $iv));
// Once we have the encrypted value we will go ahead base64_encode the input
// vector and create the MAC for the encrypted value so we can verify its
// authenticity. Then, we'll JSON encode the data in a "payload" array.
$mac = $this->hash($iv = base64_encode($iv), $value);
return base64_encode(json_encode(compact('iv', 'value', 'mac')));
}
If this is correct, then you should have been passed base64-encoded JSON with three fields: the IV (iv), the ciphertext (value), and what looks like an HMAC encrypted using the same key as the plaintext (mac). The data you've given above doesn't look like JSON at all (even after base-64 decoding).
This assumes that the caller used this encrypt function, though. There are many, many ways to encrypt, though, so you need to know how the actual server you're talking to did it.
I'm currently working on a swift application based on a particular API of a website. I use the md5 function to create valid url and access some JSON data which I can bring in my application with SwiftJSON.
I worked fine for the 6 first url but then I got an error in the checksum of my url. I checked it out and realize my md5 function in swift got the wrong hash
In my swift program, the hash of the string "answerfr1%3D%3DQf7AjOptTN6k2OyoTa7QjOptDM6k2OzoTa7cjOptjM6k2O1oTa7EjOptDMxoTa7AjOptnO2oTY"
Give me this "09938c1325c87ef89251f668a8cf5d42"
But it's not correct because my link isn't valid
But by doing it myself with http://www.md5.cz/
I have this for result "9d78b73d28f590beb8ef25b5e4b99a1d" and my link works perfectly.
I don't know why my md5 function have no issues with the 6 first hash but give me a wrong hash for the 7.
And I realize www.md5.fr give me the same wrong code. Why is there different md5 hash for the same strings ?
My md5 function in swift :
How to convert string to MD5 hash using ios swift
Hope you guys understand my issues here!
Sorry for my bad english
Thanks Martin R, you solved my problem
"%3D" is equal to "="
so "%3D%3D" is equal to "=="
My rails app gets certain data in database from another application. That data is stored as text and it may have some unicode chars in it. Now my rails app does have UTF-8 set as default in the config. But when that data is sent as json to backbone front-end then those unicode chars and not converted properly and the front-end displays ? or smart-quotes instead of displaying the proper char. How do I force the rails backend to do the encoding on the backend to convert unicode chars to UTF-8 in the json?
.encode('UTF-8') on each field.
Which is not that good, or you can write your own json serializer, where you can encode to any encoding you want
http://matthewrobertson.org/blog/2013/08/06/active-record-serializers-from-scratch/
or patch the system one
http://api.rubyonrails.org/classes/ActiveModel/Serializers/JSON.html
I used crypto:sha/1 to hash passwords in my erlang application.
Should I store the binary obtained directly in mnesia or should i convert them to hex string before?
Using crypto:sha/1 for hashing passwords is dangerous. At least have a salt, but preferably, use say scrypt, bcrypt or pbkdf2 for storing passwords like this. They are resilient to a number of attacks. Unfortunately, I know of no Erlang-support for those :/
Use https://github.com/smarkets/erlang-bcrypt to do the hashing rather than SHA1 or MD5.
One could get an Hmac SHA256 hex Digest or MD5 Digest of a password from a front-end application, create a hash using the erlang method and then store this hash. For example, if i had a web application, i ask for password from users, right at account creation or at login, i use javaScript to create an MD5 Digest of this password and send that along the wire (HTTPS) instead of the actual password. On reaching Erlang, i create a hash of this MD5 Digest from JavaScript and store that as the users password. So each time the user attempts to login on my page, i would do the similar process and then compare the hash output of his entry with the one that was stored. Read more on SHA256 HMac Digest by looking at the solutions to this question: HMAC SHA256 hex digest of a string in Erlang, how? and this one: Erlang and JavaScript MD5 Digest match
Actually you store tuples (or records, which is the same) in mnesia, but in the fields of that records you can store any term (including binaries). It's not neccessary to convert them to strings.
I've been asked to develop the company's backoffice for the iPad and, while developing the login screen, I've ran into an issue with the authentication process.
The passwords are concatenated with a salt, hashed using SHA-256 and stored in the database.
The backoffice is Flash-based and uses the as3crypto library to hash then password+salt and my problem is that the current implementation uses Base64 for both input and output.
This site demonstrates how this can be done: just select Hash and select Base64 for both input and output format and fire away. So far, all my attempts have yielded different results from the ones this site (and the backoffice code) give me.
While I think that in theory it should be relatively simply:
Base64 encode the pass+salt
Hash it using SHA-256
Base64 encode the result again
so far I haven't been able to do this and I'm getting quite the headache to be honest.
My code is becoming a living maze, i'll have to redo-it tomorrow I reckon.
Any ideas?
Cheers and thanks in advance
PS: Here's the Backoffice's Flash code for generating hashed passwords by the way:
var currentResult:ByteArray;
var hash:IHash = Crypto.getHash('sha256');
var data:ByteArray = Base64.decodeToByteArray(str + vatel);
currentResult = hash.hash(data);
return Base64.encodeByteArray(currentResult).toString();
The backoffice code does not do
Base64 encode the pass+salt
Hash it using SHA-256
Base64 encode the result again
(as you wrote above)
Instead, what it does is
Base64 decode the pass+salt string into a byte array
Hash the byte array using SHA-256
Base64 encode the byte array, returning a string
As per step 1 above, it's a unclear what kind of character encoding the input strings uses. You need to make sure that both systems use the same encoding for the input strings! UTF8, UTF16-LE or UTF16-BE makes a world of a difference in this case!
Start by finding out the correct character encoding to use on the iOS side.
Oh, and Matt Gallagher has written an easy to use wrapper class for hashes to use on iOS, HashValue.m, I've used it with good results.