0

Background

I'm working on a Bukkit Plugin (Minecraft Server-side). The plugin allows for players to send messages back and forth to each other. I am working on a web interface as well. In order to view their 'inbox' they must first login from a password the can set in-game.

This password isn't stored raw, it is converted into a long string of unicode values, then broken up into pieces, each converted to hex and appended to a different string.

Java version

//This isn't the best method, I know, but it's still going to take a genius to crack it.
//The resulting number (before somewhat converted to hex) is really
//long, there isn't an easy way of knowing the sequence of characters.
//This conversion is much different than straight up converting to hex,
//as PHP has certain limitations
public static String encodePassword(String password) {
    String longNumber = "";
    for(int i = 0; i < password.length(); i++) {
        longNumber += ((int) password.charAt(i));
    }
    //System.out.println("long = " + longNumber);
    String result = "";
    int splitLength = 5;
    int iterations = longNumber.length() / splitLength;
    if(longNumber.length() % splitLength > 0)
        iterations++;
    for(int i = 0; i < iterations; i++) {
        //System.out.println(result);
        int start = splitLength * i;
        if(longNumber.length() - start <= splitLength) {
            String sub = longNumber.substring(start);
            result += Integer.toHexString(Integer.parseInt(sub));
            continue;
        }
        String sub = longNumber.substring(start, start + splitLength);
        result += Integer.toHexString(Integer.parseInt(sub));
    }
    return result;
}

PHP version

function encodePassword($pw){
    $unicode = "";
    for($i=0; $i<strlen($pw); $i++){
        $char = $pw{$i};
        $val = unicode_value($char);
        $unicode = $unicode.$val;
    }
    $result = "";
    $splitLength = 5;
    $iterations = strlen($unicode) / $splitLength;
    if(strlen($unicode) % $splitLength > 0)
        $iterations++;
    for($i = 0; $i < $iterations; $i++) {
        $start = $splitLength * $i;
        if(strlen($unicode) - $start <= $splitLength) {
            $sub = substr($unicode, $start);
            $result = $result.base_convert($sub, 10, 16);
            continue;
        }
        $sub = substr($unicode, $start, $splitLength);
        $result = $result.base_convert($sub, 10, 16);
    }
    return $result;
}

If I 'encode' the password "partychat" (the name of the plugin, it has a group chat functionality as well) I get 2c212c93ef23163a91bcc in Java, and 2c212c93ef23163a91bcc0 (same except for trailing 0) in PHP. Anything I'm doing wrong?

Note: This doesn't always happen, most 'encoding' works fine, but for some reason this case occurs sometimes

Community
  • 1
  • 1
KILL3RTACO
  • 75
  • 9
  • why don't use a common algorithm like md5 or sha, that behaves the same in Java and PHP? – ffflabs Sep 10 '13 at 00:49
  • 1
    **Don't do that**. You should use a cryptographically proven _hash function_; namely, PBKDFv2 or bcrypt. – SLaks Sep 10 '13 at 00:49
  • @amenadiel: Neither of those hashes are secure. – SLaks Sep 10 '13 at 00:50
  • I used hashing originally (yes I know that md5 and sha1 you don't want to use, read up on that already), but for some reason they didn't match – KILL3RTACO Sep 10 '13 at 01:46

1 Answers1

0

Why do you even want this, I would just use a hash of the userpassword like: This stackoverflow question about SHA-256, I know its not solving your issue, but it is way more secure not to invent your own encryptionstandard :)

Community
  • 1
  • 1
windwarrior
  • 456
  • 2
  • 11
  • I actually never thought about making Java do the hash, originally I made the SQL query do the hashing, and then checking that with PHP... But for some reason they didn't match. I'll try hashing the string in Java and see if that helps – KILL3RTACO Sep 10 '13 at 01:44