Password encryption

[expired user #6368]'s profile image [expired user #6368] posted 12 years ago in General Permalink
I see that HeidiSQL stores the passwords obfuscated in the registry. I would like to know the encoding scheme, as I want to judge it's security. I know the HeidiSQL source code is available, but it's not commented and I don't know Object Pascal very well.
[expired user #6368]'s profile image [expired user #6368] posted 12 years ago Permalink
I made some tests using the portable variant:

test2 7C6D7B7C3A8
test 7A6B797A6
tset 787769784
<empty> 4
~ 802

I don't see much of a system here. Please help.
jfalch's profile image jfalch posted 12 years ago Permalink
One of the ideas of password encryption IS that you do not see a system in encrypted data (unless using a really weak encryption scheme).
[expired user #6368]'s profile image [expired user #6368] posted 12 years ago Permalink
As far as I know, MySQL receives passwords unencrypted/unhashed. How would it be able to hash and verify them with reference if they are already hashed?

If someone has a reference on the MySQL protocol authentication system, please provide a link.

If HeidiSQL was using a well known encoding algorithm, I presume a Google for 7A6B797A6 (test would be a pretty common input string for demonstrations. Try Googling the MD5 sum for "test") would return results, unless it is encrypted and then encoded using an obscure algorithm. If HeidiSQL is using a home-baked encryption mechanism, I do not really trust it since cryptography is rather hard to do right, and HeidiSQL is an SQL editor, so I presume the author has more knowledge about Object Pascal and GUI designing than cryptography. Even if he had, it would still security through obscurity since the encryption function could be placed in a library to allow testing and peer-review.
kalvaro's profile image kalvaro posted 12 years ago Permalink
I know nothing about Delphi but searching for "password" in the source code finds two obvious spots:

http://code.google.com/searchframe#vAQ2aFOo1A4/trunk/source/helpers.pas&q=password%20package:http://heidisql\.googlecode\.com&l=315
[expired user #6368]'s profile image [expired user #6368] posted 12 years ago Permalink
Thanks a lot kalvaro, this is exactly what I was looking for, but I didn't find it. I was intimidated by the form manipulation code, which is a lot more incomprehensible to me than this.

I like how the salt seems to be stored in the string :P Everything makes sense now :P Like how the empty password wasn't 0 but still seemed to be dependent on the length.
[expired user #6368]'s profile image [expired user #6368] posted 12 years ago Permalink
from itertools import zip_longest
def grouper(n, iterable, padvalue=None):
"grouper(3, 'abcdefg', 'x') --> ('a','b','c'), ('d','e','f'), ('g','x','x')"
return zip_longest(*[iter(iterable)]*n, fillvalue=padvalue)
def decrypt(s):
def bytehandler(x):
""" handles a pair of hex nibbles i.e. ("A", "0") """
nr = int("".join(x), 16) - int(s[-1], 16)
if nr < 0: nr += 255
return chr(nr)
return "".join(
map(
bytehandler,
grouper(2, s[:-1]) # group all nibbles except the last into pairs
)
)
str1 = "7A6B797A6"
print(decrypt(str1))


BTW the HeidiSQL code initializes result two times, anse
[expired user #6368]'s profile image [expired user #6368] posted 12 years ago Permalink
Anyway, I think it's incorrect to call it encryption, as the encryption key is embedded in the encrypted string. I'd call this obfuscation instead.
ansgar's profile image ansgar posted 12 years ago Permalink
Yes, helpers:encrypt() and helpers:decrypt() use obfuscation logic. Once I had written them years ago I never cared again about these two functions, as modifying the logic would have broken existing sessions of users. Well, we're not talking about publicly used encrypted strings, these are just for storing on the users harddisk/registry. Although I must admit I'd be glad to have a stronger encryption logic, hohum.
[expired user #6368]'s profile image [expired user #6368] posted 12 years ago Permalink
Here are the Pidgin developers take on the issue: http://developer.pidgin.im/wiki/PlainTextPasswords

Please login to leave a reply, or register at first.