How to decode the user password from the database

panda_chan · May 28, 2019, 12:38pm

We are currently developing an intermediate system between loraappserver and user-oriented. We need to process the user password stored in LORA_APP, but we are currently experiencing a problem. When we want to get the password in the user table in the postgresql database. When the field is encrypted, the password field is encrypted, so I would like to ask everyone, what is the encryption method of the lora user’s password? How can I decrypt it from the database? Thank you!

bconway · May 28, 2019, 2:07pm

Looks like PBKDF2.

github.com

brocaar/chirpstack-application-server/blob/master/internal/storage/user.go#L214


	}


	return hashWithSalt(password, salt, iterations), nil
}


func hashWithSalt(password string, salt []byte, iterations int) string {
	// Generate the hash.  This should be a little painful, adjust ITERATIONS
	// if it needs performance tweeking.  Greatly depends on the hardware.
	// NOTE: We store these details with the returned hash, so changes will not
	// affect our ability to do password compares.
	hash := pbkdf2.Key([]byte(password), salt, iterations, sha512.Size, sha512.New)


	// Build up the parameters and hash into a single string so we can compare
	// other string to the same hash.  Note that the hash algorithm is hard-
	// coded here, as it is above.  Introducing alternate encodings must support
	// old encodings as well, and build this string appropriately.
	var buffer bytes.Buffer


	buffer.WriteString("PBKDF2$")
	buffer.WriteString("sha512$")
	buffer.WriteString(strconv.Itoa(iterations))

iegomez · May 28, 2019, 3:24pm

Notice that in general passwords are not encrypted (this is a really bad idea) but hashed and salted. The whole idea is that given a user’s password in plain text and the salt you may hash it and compare with the stored hash to see that it matches, but you cannot derive the user’s password from the stored hash. I’m mentioning this because of your question:

You can’t and shouldn’t. Instead, if you want to authenticate your users from the intermediate system you may use the already available lora-app-server’s API, or manually read the stored hash from the DB and do the comparison yourself, just like in the hashCompare function referenced by Brian.

panda_chan · May 28, 2019, 4:04pm

thank you for your answer. but can you tell me how can i get the value of the paramater iterations

panda_chan · May 28, 2019, 4:09pm

Thank you for your answer! I will take a closer look at the API documentation later.

iegomez · May 28, 2019, 4:13pm

The hashing algorithm, iterations and salt are stored along with the hashed password separated by $. For example, if you have this string:

PBKDF2$sha512$100000$4u3hL8krvlMIS0KnCYXeMw==$G7c7tuUYq2zSJaUeruvNL/KF30d3TVDORVD56wzvJYmc3muWjoaozH8bHJ7r8zY8dW6Pts2bWyhFfkb/ubQZsA==

Then the algorithm is SHA512, the number of iterations is 100000 and the (base64 encoded) salt is 4u3hL8krvlMIS0KnCYXeMw==.

panda_chan · May 28, 2019, 4:19pm

Thank you, I found the field you just mentioned in the database. I will try it.Hope can be achieved

WoobaGooba · May 29, 2019, 12:54am

What exactly are you trying to do … reconstruct the plain text password from the stored hash?

panda_chan · May 30, 2019, 7:03am

This was considered at the beginning, but it is not feasible. Now I directly use the hashcompare method in the lora source to verify.