2

We have a website built in Ruby on Rails. User registration is processed through the site in Ruby and the password is hashed using SHA1.HexDigest function of Ruby with a different salt for every user. What I need to do is that - create a webservice in PHP which will login the user already registered on the website. For that I will need to produce a same hash from the user input. As I have almost zero knowledge of Ruby, so I did a lot of research on how we can reproduce the same with PHP. I went through the following link, but to no avail. How to generate the password in PHP as it did by Devise Gem in Ruby on Rails

Ruby also processes/hashes the input for a number of times (i.e. stretches, as you may call it in Ruby).

The hash saved in the database is 128 characters in length. Salt length is 20 characters.

Don't know if some sort of pepper is used as well.

Example,

user input = 123456 salt = g0i3A51x0xa7wrfWCMbG

database password (128 char hash) = 5374f9853f96eaa5b3c1124f9eb1dbbb63fb5c5ce40abb41ec88c745ec3455328685f3046cac8c356a4d81dbd315fd09173c54dc94a4208e5bc091776b02eb77

If someone can replicate the same hash with PHP, using the above given user-input and salt, then please share the code. Please help. It'll be very helpful of urs.

Thanks

class Sha1 < Base
      # Gererates a default password digest based on stretches, salt, pepper and the
      # incoming password.
      def self.digest(password, stretches, salt, pepper)
        digest = pepper
        stretches.times { digest = self.secure_digest(salt, digest, password, pepper) }
        digest
      end

    private

      # Generate a SHA1 digest joining args. Generated token is something like
      #   --arg1--arg2--arg3--argN--
      def self.secure_digest(*tokens)
        ::Digest::SHA1.hexdigest('--' << tokens.flatten.join('--') << '--')
      end
Community
  • 1
  • 1
Angad Singh Thandi
  • 31
  • 4

2 Answers2

0

I would start with a simpler hashing routine on both sides, stretching and salt are great, but start without those and do a simple hash on both sides to see if you can get them to line up. Then you can go add salt/stretching later.

On the ruby side start with something like:

 require 'digest/sha1'
 Digest::SHA1.hexdigest(string)

When you hash you cant decrypt, you have to hash on both sides and compare the result.

If you really want to encrypt something and then decrypt, try this:

http://jnylund.typepad.com/joels_blog/2007/11/cross-language-.html.

Joelio
  • 4,621
  • 6
  • 44
  • 80
0

A straightforward translation of the above Ruby code is:

function hashPassword($password, $stretches, $salt, $pepper) {
    $digest = $pepper;
    for ($i = 0; $i < $stretches; $i++) {
        $digest = sha1("--$salt--$digest--$password--$pepper--");
    }
    return $digest;
}

To use SHA-512 (128 hex digit output) instead of SHA-1 (40 hex digit output), replace sha1(...) with hash('sha512', ...).

I cannot check this code against the hash you posted because the "pepper" is a secret configuration setting I do not know. If it is not configured, try the empty string.

PleaseStand
  • 31,641
  • 6
  • 68
  • 95
  • Actually, I did try the above code. But again the results were negative. I'v already tried many different methods, but not getting any results. If you could just produce the same hash with PHP as in the question from the given salt and user-input, it'll be very helpful. I just need a method that produces same hash with PHP. Please guide me or manouver some kludgy way or anything, please. – Angad Singh Thandi Jan 09 '13 at 13:08