tags:

views:

72

answers:

3
+1  Q: 

How to hash a password and store for later verification with another digest

I am using gsoap's wsseapi plugin and would like to store hashed sha1 passwords rather than plain text. I have spent a rediculous amount of time experimenting with various methods of hashing the plain text password for storage.

Can anyone suggest a way to hash a password so it can be later verified against a username token digest sent by the client.

I can't seem to get the client password to authenticate against my stored hash

+1  A: 

Don't roll your own crypto; use a scheme that's well known and accepted by the community, such as PBES2 (as specified by PKCS#5 v2.1). If you're in luck, you'll find a ready-made implementation of it (hint: OpenSSL probably does).

crazyscot  2010-06-03 11:57:50
I was trying to hash up just the password part of the digest (leaving out the nonce and created time) using basic sha1. My thought here was that I could quickly verify the hash sent by the client against the stored one. I'm not sure that I can get specifically get the password hash sent by the client when the hash is built up of the password, nonce and a timestamp.
oxygen8  2010-06-03 13:28:15
A: 

not storing plain-text passwords is good. picking a hash which was developed to be calculated very fast is .. not so clever. read more on "key-derivation" at http://www.tarsnap.com/scrypt.html. basically it slows down "calculation of the hashed password" A LOT, so that an attacker is slowed down in his attempts to use brute force.

akira  2010-06-03 12:01:08
Thanks,gsoap has a soap_wsse_session_verify() that seems to prevent possible replay attacks. I'm hoping that would do the job.
oxygen8  2010-06-03 13:33:26
A: 

Seems that the plain text password is required at both sides. This is so that on the server, the password stored is hashed using the nonce created at the client side and then the password hashes are compared.

I thought there may have been a way for the client to enter a normal alphanumeric password and for the server to retrieve a pre-stored hashed up version of the same password for comparison. Seems this isn't possible because of the nonce, timestamp etc

oxygen8  2010-06-11 16:33:03

related questions

Of Memory Management, Heap Corruption, and C++
How do I make a GUI?
Alpha blending sprites in Nintendo DS Homebrew
Thread safe lazy contruction of a singleton in C++
Interview Programming Questions - In house Exam
Link issues (VC6)
What are the barriers to understanding pointers and what can be done to overcome them?
Why are professors or schools picking Java over C++ to teach to students?
What is the best way to create a sparse array in C++
C/C++ library for reading MIDI signals from a USB MIDI device
How do you pack a visual studio c++ project for release?
How to set up unit testing for Visual Studio C++
How do I configure and communicate with a serial port?
Lightweight IDE for Linux
Mapping Stream data to data structures in C#
CPU throttling in C++
Asynchronous multi-direction server-client communication over the same open socket?
Exceptions in C++
Heap corruption under Win32; how to locate?
Build for Windows NT 4.0 using Visual Studio 2005?
C++: Should I use nested classes in this case?
BerkeleyDB Concurrency
GTK implementation of MessageBox
Is gettimeofday() guaranteed to be of microsecond resolution?
How to use the C socket API in C++ on z/OS