Solved

MD5 Salt Hashes in Coldfusion

Posted on 2014-02-16
8
764 Views
Last Modified: 2014-02-16
Is it possible to do this type of setup in CF 9/10

$hash = md5( md5( $salt ) . md5( $password ) );
0
Comment
Question by:theideabulb
  • 4
  • 4
8 Comments
 
LVL 39

Expert Comment

by:gdemaria
ID: 39863108
ColdFusion has the hash() function.

To replicate what you're doing:

  <cfset theHash = hash( hash(salt) & hash(password) )>

Although I don't really see the need for repeated use of the hash, why not just...

 <cfset theHash = hash( password & salt )>
0
 

Author Comment

by:theideabulb
ID: 39863127
i am trying to work out a special feature and want to integrate with the message board I use.  This is the type of encryption they say they use to generate the password:

http://www.invisionpower.com/support/guides/_/advanced-and-developers/miscellaneous/passwords-in-ipboard-r130
0
 

Author Comment

by:theideabulb
ID: 39863134
I am not sure of what you are saying about the salt part of this

EDIT--- i get it the salt part now....
0
 
LVL 39

Expert Comment

by:gdemaria
ID: 39863165
looks like they use the double hash, so you would have to do the same in order to get the same value..  

 <cfset theHash = hash( hash(salt) & hash(password) )>
0
DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

 

Author Comment

by:theideabulb
ID: 39863170
Ok, so this is what i am doing:

<cfset salt = '|"<x{' /> 
<cfset pw = 'pass1234'>

<cfset theHash = hash( hash(salt,"md5") & hash(pw,"md5"))>

<cfdump var="#theHash#">

Open in new window


My output is: A012639CB425D6DE66245CBC52176C78

The forum is generating this: 24f4511be9e824ca8fc647b28e05ccf2

so I am not sure what I might be missing
0
 
LVL 39

Expert Comment

by:gdemaria
ID: 39863180
First, be sure that you are using the exact same salt and pw values as the forum.. even the case has to be the same.

I made the assumption that the dot  "."  in this example is concatenation.  If it is not, you need to alter the coldfusion version to do whatever that does.

   =  md5( md5( $salt ) . md5( $password ) );

I don't know if the forum will give you more detail, but can you hash a single word on your side and on the forum to see if they match?   That will take out the complexity of the double hash and concatenation and just let you know if you are using the same hash algorithm.
0
 
LVL 39

Accepted Solution

by:
gdemaria earned 500 total points
ID: 39863182
Notice that your output is all capitals and the forum's is lower case (or perhaps mixed case).   When hashing    "Abc" and  "ABC"  I believe you will get different results.

Therefore, if you hash a value and it forces it to upper case and then you hash again, you will get different results than if you hash a value and it keeps it lower case and you hash again..


You could try this to force the result to lower case, but if the result is mixed case, you may have a problem
<cfset theHash = hash(  lower(hash(salt,"md5"))  &  lower(hash(pw,"md5")) )>
0
 

Author Closing Comment

by:theideabulb
ID: 39863201
Great job.  That did it.   I really appreciate the help.  I had a very quick thought about the lcase, but I thought, hey.. maybe CF just outputs it like that.    This was a big help
0

Featured Post

3 Use Cases for Connected Systems

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, testing some more, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is an updated version of a post made on my blog over 3 years ago. It is unfortunately, still very relevant as we continue to see both SQLi (SQL injection) and XSS (cross site scripting) attacks hitting some of the most recognizable website and …
Sometimes databases have MILLIONS of records and we need a way to quickly query that table to return the results me need. Sure you could use CFQUERY but it takes too long when there are millions of records. That is why SOLR was invented. Please …
This Micro Tutorial demonstrates using Microsoft Excel pivot tables, how to reverse engineer competitors' marketing strategies through backlinks.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

26 Experts available now in Live!

Get 1:1 Help Now