distal-attribute
distal-attribute
distal-attribute
distal-attribute

Password encryption

User, date Message
Written by ysangkok
2 years ago
Category: General
9 posts since Mon, 30 Apr 12
I see that HeidiSQL stores the passwords obfuscated in the registry. I would like to know the encoding scheme, as I want to judge it's security. I know the HeidiSQL source code is available, but it's not commented and I don't know Object Pascal very well.
Written by ysangkok
2 years ago
9 posts since Mon, 30 Apr 12
I made some tests using the portable variant:

test2 7C6D7B7C3A8
test 7A6B797A6
tset 787769784
<empty> 4
~ 802

I don't see much of a system here. Please help.
Written by jfalchMoney, Euro
2 years ago
380 posts since Sat, 17 Oct 09
One of the ideas of password encryption IS that you do not see a system in encrypted data (unless using a really weak encryption scheme).
Written by ysangkok
2 years ago
9 posts since Mon, 30 Apr 12
As far as I know, MySQL receives passwords unencrypted/unhashed. How would it be able to hash and verify them with reference if they are already hashed?

If someone has a reference on the MySQL protocol authentication system, please provide a link.

If HeidiSQL was using a well known encoding algorithm, I presume a Google for 7A6B797A6 (test would be a pretty common input string for demonstrations. Try Googling the MD5 sum for "test") would return results, unless it is encrypted and then encoded using an obscure algorithm. If HeidiSQL is using a home-baked encryption mechanism, I do not really trust it since cryptography is rather hard to do right, and HeidiSQL is an SQL editor, so I presume the author has more knowledge about Object Pascal and GUI designing than cryptography. Even if he had, it would still security through obscurity since the encryption function could be placed in a library to allow testing and peer-review.
Written by kalvaro
2 years ago
587 posts since Thu, 29 Nov 07
I know nothing about Delphi but searching for "password" in the source code finds two obvious spots:

http://code.google.com/searchframe#vAQ2aFOo1A4/trunk/source/helpers.pas&q=password%20package:http://heidisql\.googlecode\.com&l=315
Written by ysangkok
2 years ago
9 posts since Mon, 30 Apr 12
Thanks a lot kalvaro, this is exactly what I was looking for, but I didn't find it. I was intimidated by the form manipulation code, which is a lot more incomprehensible to me than this.

I like how the salt seems to be stored in the string :P Everything makes sense now :P Like how the empty password wasn't 0 but still seemed to be dependent on the length.
Written by ysangkok
2 years ago
9 posts since Mon, 30 Apr 12

from itertools import zip_longest

def grouper(n, iterable, padvalue=None):
"grouper(3, 'abcdefg', 'x') --> ('a','b','c'), ('d','e','f'), ('g','x','x')"
return zip_longest(*[iter(iterable)]*n, fillvalue=padvalue)

def decrypt(s):
def bytehandler(x):
""" handles a pair of hex nibbles i.e. ("A", "0") """
nr = int("".join(x), 16) - int(s[-1], 16)
if nr < 0: nr += 255
return chr(nr)

return "".join(
map(
bytehandler,
grouper(2, s[:-1]) # group all nibbles except the last into pairs
)
)

str1 = "7A6B797A6"
print(decrypt(str1))



BTW the HeidiSQL code initializes result two times, anse
Written by ysangkok
2 years ago
9 posts since Mon, 30 Apr 12
Anyway, I think it's incorrect to call it encryption, as the encryption key is embedded in the encrypted string. I'd call this obfuscation instead.
Written by ansgar
2 years ago
4936 posts since Fri, 07 Apr 06
Yes, helpers:encrypt() and helpers:decrypt() use obfuscation logic. Once I had written them years ago I never cared again about these two functions, as modifying the logic would have broken existing sessions of users. Well, we're not talking about publicly used encrypted strings, these are just for storing on the users harddisk/registry. Although I must admit I'd be glad to have a stronger encryption logic, hohum.
Written by ysangkok
2 years ago
9 posts since Mon, 30 Apr 12
Here are the Pidgin developers take on the issue: http://developer.pidgin.im/wiki/PlainTextPasswords
 

Please login to leave a reply, or register at first.