I have this password : cJU6fIvqSrHJq8ErBo0mU9fFjzPdSl/94iZyzX/VZ9RJ+GLm3PopuABNopq4UcqcMJTPOBu8KHadfcXl7DEE4Q==
and I want to know the used encryption type. I got this password with the salt from a database used by a script coded with symfony2.
the developer said that he used the sha512 encryption but I think that there is another encode method used.
Thank you,
you are right that there is further encoding, as this a base64 encoding of what is probably a hash output. the decode of the base64 string into a hex string is:
70953a7c8bea4ab1c9abc12b068d2653d7c58f33dd4a5ffde22672cd7fd567d449f862e6dcfa29b8004da29ab851ca9c3094cf381bbc28769d7dc5e5ec3104e1
which is odd because its 128 bytes/1024 bits long, compared to sha512 which is 64 bytes/512 bits. It may be that the salt has been appended to the hash or something like that. Compare your sha512 hashing with the above hex string and see if it matches some part of it.
Related
I have an AES-encrypted string ( out of a user backup of a discontinued App) that I want to decrypt.
What I have:
json file with:
Info that key was created with PBKDF2
salt
encrypted string
I do know the password, with which the backup was created, probably the password also for PBKDF2
Is there a way to find out with what parameters the string was encrypted? i.e, how the key was created
Is there an easy way to decrypt the string?
Fortunately, reverse engineering the encryption method and the way that the ciphertext (and possibly other information necessary for decryption) is stored in the file, is a lot easier than trying to crack the password that was used to derive the encryption key. Being that you know the password that the key was derived from, there may be hope.
Is the encrypted string from the json file encoded using an encoding method that you recognize, such as hexadecimal or base64? If so, then when you decode the encrypted string, is it exactly 128 bits?
If so, then the problem gets significantly simpler, because this means that it's only one block of AES encryption. This means that you don't have to worry about the encryption mode (e.g. CBC, GCM, ECB, CTR, etc), or the IV if it's a block cipher mode such as CBC.
In addition, if there is information in the json file about the inputs to the PBKDF2 function (e.g. number of iterations, and/or hash algorithm), this can be helpful.
In the end, it comes down to trial and error, where different values for the parameters that you don't know are tried, until the correct parameters to the PBKDF2 function are found, which produces the correct key, to decrypt the cipher text. This also requires that you know something about the plaintext, in order to know when the decryption was successful.
Of course, the more parameters that unknown, the more rounds of trial-and-error are necessary. If the number of rounds of trial and error are reasonable given an allotted amount of time and resources, then the process can be automated in a fashion similar to https://security.stackexchange.com/questions/226935/write-a-python-or-c-program-to-guess-the-key/226950#226950.
I have to use an encryption algorithm using Base64 but when I researched online I find forums state it is an encoding algorithm. This has me confused. :(
Is Base64 an encryption or encoding algorithm? How do we differentiate between the two except for the fact that one is publicly decipherable while the other needs a key for that?
It's an encoding algorithm (hence "Base64 encoding") to allow people to move data in an ASCII friendly environment (i.e. no control characters or anything non-printable). It should give you good portability with XML and JSON etc.
The encoding is entirely well known, the algorithm is simple and as it has not "mutability" of the algorithm or concept of keys etc. it is not considered as "encryption".
In summary, anybody can Base64 decode your content, so it's not encryption. At least not useful as encryption. It may keep a four year old stumped, but that's it.
An encoding algorithm merely presents data in an alternative format. It does not in any way attempt to hide data, it merely expresses the same data in an alternative syntax. Base64 is such an encoding algorithm. It merely encodes arbitrary data using only ASCII characters, which is useful in many situations in which non-ASCII characters may not be handled correctly. You can encode and decode Base64 back and forth all day long; there's no secret, no protection, no encryption.
The difference between encoding and encrypting is in whether you need to know a secret in order to get back the original form. base64 is an encoding because all you need to know is the algorithm to encode/decode.
When something is encrypted, there's a secret key that's used, and you need to know the key in order to decrypt it. There's two general types of encryption:
symmetric encryption = the same key is used to encrypt and decrypt. The correspondents using this encryption both need to know this key.
asymmetric encryption = different keys are used to encrypt and decrypt. This is also called public key encryption because you can make one of the keys well known (public), while keeping the other one secret (private). This allows anyone to encrypt a message that using the public key, while only the person who knows the private key can decrypt it, or vice versa.
One can certainly see Base64 as a substitution cipher with a pre-set/fixed key which also blows up the ciphertext by roughly 4/3, but this is not a very useful thought process. The main property of it is that it transforms some data into another format without some additional information. So it is an encoding algorithm.
Note that there are different variants of Base64 with different alphabets such as the one that is URL-safe (table 2 of the RFC4648). If you can set the alphabet with positions, then it will be an encryption algorithm, but it shouldn't be called Base64 anymore.
Let me start by saying that I am new to the encryption arena. With that said, I am developing an application and need to store username, password and full name (first, middle, last) encrypted in a database table. I was reading an article that the IV should be random for each encryption that occurs and that I could prepend the IV to the ciphertext.
This is where it gets confusing. How would I decrypt the string if I prepend text to it unless I know exactly where in the string the IV ends and the ciphertext begins? Also, I was reading that I should salt the string by appending or prepending additional text before I actually encrypt. I.E., some string I create and prepend or append that to the plaintext, am I correct in my understanding of salting?
If I am storing the encrypted username and password in the database, should I worry about any issues when I need to authenticate a user. Can I reliably encrypt the username and password after the user enters the fields, then compare the encrypted values against the encrypted columns in the database? It seems as if this would be a problem and if so, what is the recommended way of handling this?
The length depends on the encryption algorithm that is used. AES's IV is always 16 bytes long, so in the decryption, you can just take the first 16 characters as the IV, then start decrypting after the 16th byte.
Yes, IV is like salt, just that salt is usually referred when we are doing hashing, instead of encryption. Salt is also of a fixed length.
If you only need to authenticate user, hashing is preferred way of storing the password in the database.
I was looking for password encrypting method that uses 140 symbols encrypts.
Like the one i have right here
"1f06b3b57542c78b08d9b2c8cd14a44ff6de52eefa60284af778c2d02c7f35e8cb28b972a8a597ed949da8538f2f494cc5813bb500b595dab3e8575d01284e983d525a70eb61"
so can anyone point me into the right direction?
Or at least give some info about that kind of method (140symbols) .
It's not encryption, it's hashing. Most likely, the algorithm works roughly as follows:
1) Generate a 6-byte salt.
2) Generate the SHA-512 hash of the password and salt.
3) Output the 6-byte salt followed by the 64-byte hash as a 140 character hex string.
I am using PBKDF2 encryption to hash password with salt.
should I store hashed password and salt in database after applying base64 encoding?
If I do use the encoding, then the password length becomes 88 from 64, which requires more storage than when I am not using it.
What are advantages and disadvantages for using the encoding?
should I apply it to salts too?
From the security side, there is no difference between storing pure bytes, and storing a Base64-encoding of them.
If you store pure bytes, make sure you select the right datatype (e.g. a binary one, not a character one) for your column. If you store base64, you can use a character column with US-ASCII encoding.
Base64 has the advantage that a human can more easily look at the data and see if it is the same as some other, but this is about it - you could easily do the encoding after querying the data, too.