innovaphone Forum

You are here

Help with Search (new window)
Picture of Tomas 1082
Registered 12 years 35 days
Tomas 1082 Monday, 7 September 2020, 11:21 AM
Password encryption/hashing in postgres database
Hi,

I need to know how to encrypt/hash the passwords in the postgres database. I assume all passwords are using the same method, but examples would be the pbx admin password in the usersadmin app, and the domain passwords in the devices app.

Thanks,

Tomas
Picture of Daniel Deterding (innovaphone)
Moderator Registered 15 years 179 days
Daniel Deterding (innovaphone) Monday, 14 September 2020, 08:47 AM
Re: Password encryption/hashing in postgres database
Hi Tomas,

sorry, the de- and encryption of these passwords may vary from app to app or from table to table and is not intended to be publically discussed.

Is there any special reason why you need to access this table data directly?

Greetings,
Daniel
Picture of Tomas 1082
Registered 12 years 35 days
Tomas 1082 Monday, 14 September 2020, 09:19 AM
Re: Password encryption/hashing in postgres database
Hi,

yes. And this is why I created a support case, 285480. But I was redirected by support to this public forum. Please check the my latest posts there.

Regards,

Tomas
Picture of Daniel Deterding (innovaphone)
Moderator Registered 15 years 179 days
Daniel Deterding (innovaphone) Monday, 14 September 2020, 09:35 AM
Re: Password encryption/hashing in postgres database
Hi Tomas,

with "publically", I also meant support cases ;)

Greetings,
Daniel
Picture of Daniel Deterding (innovaphone)
Moderator Registered 15 years 179 days
Daniel Deterding (innovaphone) Monday, 14 September 2020, 09:45 AM
Re: Password encryption/hashing in postgres database
Hi Tomas,

ok, I took another look at the mantis case and saw, that you want to add domains in devices (so you actually do not want to access the database passwords, which are encrypted differently).

The passwords transferred inside websocket messages are encrypted with the appwebsocket encryption and the calculated session key (the innovaphone.appwebsocket.Connection.js library shows how the session key is calculated and how the encrypt/decrypt functions work, as you already know by now).

The devices AddDomain message works like this:

{
"mt":"AddDomain",
"seed": "reseller.com1",
"domain":
{
"name": "reseller.com",
"password": "encryptedPwd",
"passwordRetype": "encryptedPwd"
}
}

encryptedPwd is: appwebsocket.encrypt("reseller.com1", "cleartextPwd");

The seed "reselller.com1" is a random value, which you hand as parameter inside the JSON.

Greetings,
Daniel
Picture of Tomas 1082
Registered 12 years 35 days
Tomas 1082 Monday, 14 September 2020, 12:27 PM
Re: Password encryption/hashing in postgres database
Hi,

I DO want to write directly to the database for setting passwords etc. This is the subject/heading of the case and is what it started out as. For management/automation tasks it makes more sense and is easier and more lightweight to do simple sql queries.

I did not manage to make it work with the apis. My last comments from the support case on this part:

----

I managed to get the pw encryption correct in bash using you example data. A lot of trial and error. Its 64 bit rc4 right? my openssl only supported 40 and 128 so I had to use something else.


Also, make sure, your string for digest calculation is composed correctly (especially info object, also empty one, must be considered in the string).

Do you have an example for this particular case? Is this enough?

innovaphone-devices:vcom.no:::::<challenge>:<pw-on-vcom.no-device-instance>


The session key is a part of RC4 encryption keys and must be calculated after AppLoginResult is received. It is calculated as SHA256 of the string "innovaphoneAppSessionKey:challenge:password" (the administrator password used for AppLogin in your case).

Where do I find this app session key? Should it be returned from the server?

----


Note that I am trying to log in to the app platform directly (ws:<app-platform-ip>/<domain>/devices)


Regards

Picture of Daniel Deterding (innovaphone)
Moderator Registered 15 years 179 days
Daniel Deterding (innovaphone) Monday, 14 September 2020, 12:54 PM
Re: Password encryption/hashing in postgres database
You cannot write directly to the database, as sometimes data is stored inside memory alongside data stored inside the database, so if you bypass the APIs, the memory inside the app will contain wrong data and you would need to restart the app itself.

So if you have trouble using the API, we need to figure this out!

The session key calculation is quite simple and you can see it in the PHP example or inside innovaphone.Appwebsocket.Connection.js.
You already wrote it:
SHA256 of the string "innovaphoneAppSessionKey:challenge:password"

innovaphoneAppSessionKey is a fix keyword, which never changes. Just the challenge changes for every login and the password is known to you.

Greetings,
Daniel
Picture of Tomas 1082
Registered 12 years 35 days
Tomas 1082 Monday, 14 September 2020, 03:18 PM
Re: Password encryption/hashing in postgres database
Yes it is probably best to stop the instance, do the changes and then restart it again. Not really a problem and a more compact way of eg. deploying many new apps/domains etc. I think you should let us know how the db password encryption is done, at least on your own apps. Some of us might want to know how secure the stored data really is, in the event that database contents is lost/stolen.

--
Ok, so the first element of "innovaphoneAppSessionKey:challenge:password" is actually a static string, not a variable as the last two.

So then my last problem is I cannot seem to login correctly to the device instance on the app platform. I have working scripts logging in to <app-platform-ip>/manager for adding app instances etc.

What is the correct websocket path to use when adding domain do an instance? I tried <app-platform-ip>/<domain-on-app-instance>/devices etc but it will not log in. Also I am unsure if the digest string is correct. Do you have an example?
Picture of Daniel Deterding (innovaphone)
Moderator Registered 15 years 179 days
Daniel Deterding (innovaphone) Monday, 14 September 2020, 03:35 PM
Re: Password encryption/hashing in postgres database
If you edit the instance of the devices app inside the AP Manager, you see the URLS, e.g.
http://dns.com/domain/devices/innovaphone-devices
You simply cut the last /innovaphone-devices, so you would connect to http://dns.com/domain/devices (but you can leave the innovaphone-devices too) .


Then you simply use the same logic as for the manager login. But for Devices, the used domain inside the AppLogin must match the domain configured in the instance inside the AP Manager! For other apps this doesn't matter.

http://wiki.innovaphone.com/index.php?title=Reference13r1:Concept_App_Service_Devices#Domains

Greetings,
Daniel

Picture of Tomas 1082
Registered 12 years 35 days
Tomas 1082 Tuesday, 15 September 2020, 09:16 AM
Re: Password encryption/hashing in postgres database
Hi,

ok so I managed to log in to devices, but there is something wrong with the password string

Using this example I got earlier in the support case works fine (i get the same pw string)

seed: string(11) "example.com"
data: string(10) "myP@ssw0rd"
sessionKey: string(10) "0123456789"
key: string(22) "example.com:0123456789"
cypher: string(10) "&#65533;fJQ&#544;'&#65533;"
bin2hex: string(20) "0fc6664a51c8a027ba15"

But here the session key is fixed. Is the "challenge" in the key also keyword or the actual challenge from the login? The "password" is the app login pw yes? I have tried both. My results:

creating sha255 from "innovaphoneAppSessionKey:08cbc6d87da163aa:pwd":
5d2598f67b251e4cd470e24bef3f8c663f2a292531c1da62599a05905d784c29

rc4/64bit encrypt of password "myP@ssword" using the hex value of "example.com:5d2598f67b251e4cd470e24bef3f8c663f2a292531c1da62599a05905d784c29" as key ("6578616d706c652e636f6d3a35643235393866363762323531653463643437306532346265663366386336363366326132393235333163316461363235393961303539303564373834633239"):
9e5eafb3ae9b8f29731a

Could you check the values?
Picture of Daniel Deterding (innovaphone)
Moderator Registered 15 years 179 days
Daniel Deterding (innovaphone) Tuesday, 15 September 2020, 10:37 AM
Re: Password encryption/hashing in postgres database
The password is the instance password of your devices instance.
The challenge is the challenge received inside AppChallengeResult.

But the challenge "08cbc6d87da163aa" which you are using here can't be a challenge received inside AppChallengeResult. Although challenge is a JSON string, it will always only contain digits.

But the value 9e5eafb3ae9b8f76731a which you calculated is correct.
How does your AddDomain websocket message looks like when sending it?

Greetings,
Daniel
Picture of Tomas 1082
Registered 12 years 35 days
Tomas 1082 Tuesday, 15 September 2020, 10:59 AM
Re: Password encryption/hashing in postgres database
OK thanks, then I am using the correct challenge/pw

Sure about the challenge? Mine seem to contain letters always, eg

{"mt":"AppChallengeResult","challenge":"20593fe94aca85c6"}

Also, I am logged in correctly and can add the domain

creating sha255 from "innovaphoneAppSessionKey:20593fe94aca85c6:pwd":
9a903e5bdc725b3b00e3b76e0f4b7312b8a9d42771696703a86065d285f6e776

rc4/64bit encrypt of password "myP@ssword" using the hex value of "example.com:9a903e5bdc725b3b00e3b76e0f4b7312b8a9d42771696703a86065d285f6e776" ("6578616d706c652e636f6d3a39613930336535626463373235623362303065336237366530663462373331326238613964343237373136393637303361383630363564323835663665373736"):
a73cd432b6e87a2ff482

{"mt":"AddDomain","seed":"example.com5","domain":{"name":"example.com","deployAdminPasswords":false,"provisioningUrl":"","iscEmails":"","rentalName":"","provisioningToken":"myP@ssword","password":"a73cd432b6e87a2ff482","passwordRetype":"a73cd432b6e87a2ff482"},"src":"EditDomain"}

Btw any easy way to check if the pw is correct other than connecting an app?
Picture of Daniel Deterding (innovaphone)
Moderator Registered 15 years 179 days
Daniel Deterding (innovaphone) Tuesday, 15 September 2020, 11:11 AM
Re: Password encryption/hashing in postgres database
Ah, I oversaw something. Yes, the challenge contains hex chars ... ;)

But if you use "example.com:9a..." to encrypt your password, the seed is "example.com", so you must also send "seed":"example.com" inside your JSON message, without the 5.

There is currently no easy way to check the password ... Just connecting with the domain name of the new domain and this specific password.

Greetings,
Daniel
Picture of Tomas 1082
Registered 12 years 35 days
Tomas 1082 Wednesday, 16 September 2020, 07:44 AM
Re: Password encryption/hashing in postgres database
Hi, ok thanks. The seed was the last problem so now it works!

Maybe the easiest way to check for correct pw is to take a look at the password in the db. If the hash created programmatically matches with the same password entered in the gui, you're good.

Which means no random salting on the hash.
← You can define your color theme preference here