Android Question SHA1 one way(?) encryption

[btg1967]

Hi there,

I'm now getting to some of the meatier parts of my app... and some of the 'dark arts' of encryption and passing passwords from an app to the web server...

In order to login, I hope to replicate what I do in the PHP part of the application - Post to a login page with the username and password pair, and then get a token to use through the life of the app.

The password is passed SHA1 encrypted, and I never decrypt it so that the raw value is never transmitted over an open link ... it's only transmitted over an SSL connection (in case you're wondering, the login page is http, however the login will not work if the server detects the login is not on SSL)

I've seen this post, and adapted it by adding in my own custom salt, and only SHA1, however get a different result to the results to the sha1 routine I have on my PHP web app.

Any ideas??

Private pi As String
Dim MyPwdHash() As Byte
Dim MyHash As String

    pi = "<<mysalt>>" & "<<users password>>"
    MyPwdHash = md.GetMessageDigest(md5string.GetBytes("UTF8"),"SHA-1")
    MyHash = ByteCon.HexFromBytes(MyPwdHash)
    MyHash = MyHash.ToLowerCase
    Log("SHA1: " & MyHash)

Many thanks,

 

[Erel]

Can you post the PHP code?

 

[btg1967]

Hi Erel,

Sorry for the delay in getting back to you.

PHP code here using the Sha1() function http://php.net/sha1

$hashPWD = sha1(<<mySalt>> . <<userPassword>>);

All ((unescaped)) raw values sent through $_POST variables

 

[Erel]

Your code looks correct. Try to compare the values to the values you get from an online hash calculator to see where is the problem.

 

[Troberg]

Looks like you've got a copy-paste error.

MyPwdHash = md.GetMessageDigest(md5string.GetBytes("UTF8"),"SHA-1")

should probably be

MyPwdHash = md.GetMessageDigest(pi.GetBytes("UTF8"),"SHA-1")

Now, you put your stuff in one string and run the calculations on another.

Also, you are missing declations for md and ByteCon, but I assume they are elsewhere, as your code do run.

 

[btg1967]

OMG I feel like such a dolt

@Troberg you got the issue - cut/paste - sheesh it's always the simplest of errors. Coding can be very humbling at times...

For reference, here is the corrected snippet:

Private pi As String
Dim MyPwdHash() As Byte
Dim MyHash As String

    pi = "<<mysalt>>" & "<<users password>>"
    MyPwdHash = md.GetMessageDigest(pi.GetBytes("UTF8"),"SHA-1")
    MyHash = ByteCon.HexFromBytes(MyPwdHash)
    MyHash = MyHash.ToLowerCase
    Log("SHA1: " & MyHash)

I had even used http://onlinemd5.com/ to verify my output and was even considering getting someone to write my own library... you have saved me a HUGE amount of time

• thank you
• thank you
• thank you