views:

72

answers:

3

I am using gsoap's wsseapi plugin and would like to store hashed sha1 passwords rather than plain text. I have spent a rediculous amount of time experimenting with various methods of hashing the plain text password for storage.

Can anyone suggest a way to hash a password so it can be later verified against a username token digest sent by the client.

I can't seem to get the client password to authenticate against my stored hash

+1  A: 

Don't roll your own crypto; use a scheme that's well known and accepted by the community, such as PBES2 (as specified by PKCS#5 v2.1). If you're in luck, you'll find a ready-made implementation of it (hint: OpenSSL probably does).

crazyscot
I was trying to hash up just the password part of the digest (leaving out the nonce and created time) using basic sha1. My thought here was that I could quickly verify the hash sent by the client against the stored one. I'm not sure that I can get specifically get the password hash sent by the client when the hash is built up of the password, nonce and a timestamp.
oxygen8
A: 

not storing plain-text passwords is good. picking a hash which was developed to be calculated very fast is .. not so clever. read more on "key-derivation" at http://www.tarsnap.com/scrypt.html. basically it slows down "calculation of the hashed password" A LOT, so that an attacker is slowed down in his attempts to use brute force.

akira
Thanks,gsoap has a soap_wsse_session_verify() that seems to prevent possible replay attacks. I'm hoping that would do the job.
oxygen8
A: 

Seems that the plain text password is required at both sides. This is so that on the server, the password stored is hashed using the nonce created at the client side and then the password hashes are compared.

I thought there may have been a way for the client to enter a normal alphanumeric password and for the server to retrieve a pre-stored hashed up version of the same password for comparison. Seems this isn't possible because of the nonce, timestamp etc

oxygen8