Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

SQL Server 2005

  • 10-11-2010 4:47pm
    #1
    Moderators, Home & Garden Moderators, Regional Midwest Moderators, Regional West Moderators Posts: 16,724 Mod ✭✭✭✭


    Folks
    Have to migrate a table from SQL 2000 to another table in SQL 2005 and the password encryption is in MD5 and the existing table uses SHA1.

    I have searched high up and low down but I can't find an answer on the net.

    The password was encrypted in .NET using MD5.

    I am aiming to DTS the data across from 2000 to 2005 into a temp table and was hoping to decrypt the username into a string, then encrypt using SHA1 to store in the new table structure.

    Any pointers?

    Thanks


Comments

  • Closed Accounts Posts: 7 BobsYerAuntie


    if I understand correctly, you are attempting to decrypt an MD5 string and store in another table with a different encryption?

    However, MD5 encryption is a one way encryption, you cannot decrypt this... so I think your new implementation will need to use interpret your data as MD5 and not SHA1. :confused:


  • Registered Users, Registered Users 2 Posts: 515 ✭✭✭NeverSayDie


    You should probably take a look here :)
    http://en.wikipedia.org/wiki/Cryptographic_hash_function


  • Registered Users, Registered Users 2 Posts: 68,317 ✭✭✭✭seamus


    There should be nothing stopping you from storing either type of hash in a binary column.

    Whatever application is using the table will need to be modified to use MD5 instead of SHA1. Although you could implement a routine which checked the entered password against both an MD5 and SHA1 hash. If the MD5 one matches, the routine updates the stored hash to SHA1.


  • Moderators, Home & Garden Moderators, Regional Midwest Moderators, Regional West Moderators Posts: 16,724 Mod ✭✭✭✭yop


    Thanks for the follow up, sorry I left out important information until I was reading the above I didn't think was relevant.

    The new DB is been used by a CMS called Kentico, it will, going forward (Brian Cowan), be administering the users, it uses ONLY SHA1, we can't change this unfortunately :(

    I think I am fubar on this.

    We have about 300 customers, we don't want to have to ask them to enter their passwords again on the new system.


  • Closed Accounts Posts: 48 Ronan_


    Read the field from old DB in .net, Decrypt it, and write it back to the new DB - shouldn't take long at all


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 68,317 ✭✭✭✭seamus


    Ronan_ wrote: »
    Read the field from old DB in .net, Decrypt it, and write it back to the new DB - shouldn't take long at all
    You can't decrypt it :)

    OK, theoretically you can decrypt it, given the right tools, but decrypting MD5 doesn't guarantee that you will get the correct password when you encrypt it in SHA1 again.

    For example, a user's password might be "kittens", which produces a particular hash. MD5 cracking algorithms don't necessarily attempt to find out the exact password, just a string of characters which will produce the same hash. In MD5 cracking, you don't need the exact password to access a system - any text string which produces the same hash will be accepted by the system as a valid password.

    So in the above example, your cracking algorithm may find that "%^&JDbsN!" has the same hash as "kittens", but you record the former as the customer's password. When you encrypt this in SHA1 format, the customer finds themselves typing "kittens" and it doesn't work - because in SHA1, "kittens" and "%^&JDbsN!" will not produce the same hash.


  • Moderators, Home & Garden Moderators, Regional Midwest Moderators, Regional West Moderators Posts: 16,724 Mod ✭✭✭✭yop


    Ronan_ wrote: »
    Read the field from old DB in .net, Decrypt it, and write it back to the new DB - shouldn't take long at all

    Thanks for that, as said, can't decrypt. ;)
    seamus wrote: »
    You can't decrypt it :)

    OK, theoretically you can decrypt it, given the right tools, but decrypting MD5 doesn't guarantee that you will get the correct password when you encrypt it in SHA1 again.

    For example, a user's password might be "kittens", which produces a particular hash. MD5 cracking algorithms don't necessarily attempt to find out the exact password, just a string of characters which will produce the same hash. In MD5 cracking, you don't need the exact password to access a system - any text string which produces the same hash will be accepted by the system as a valid password.

    So in the above example, your cracking algorithm may find that "%^&JDbsN!" has the same hash as "kittens", but you record the former as the customer's password. When you encrypt this in SHA1 format, the customer finds themselves typing "kittens" and it doesn't work - because in SHA1, "kittens" and "%^&JDbsN!" will not produce the same hash.

    I am snookered. Not to worry lads will have to go back to the client and tell them the options ;)
    Option A, or Option A or even Option A :)

    Thanks lads


Advertisement