1. 23 Jun 2011 12:57 PM #11
    jmariani
    jmariani is offline
    Sencha User
    Join Date
    Nov 2008
    Location
    Currently Mexico
    Posts
    133
    Vote Rating
    0
    jmariani is on a distinguished road
      0  

    Default Difference with sha256sum result

    Difference with sha256sum result


    Are you sure your sha256 function behaves ok? Because it gives me very different values from sha256sum (a Linux command)

    For the string "123"

    Your function: a665a45920422f9d417e4867efdc4fb8a04a1f3fff1fa07e998e86f7f7a27ae3

    echo 123 | sha256sum: 181210f8f9c779c26da1d9b2075bde0127302ee0e3fca38c9a83f5b1dd8e5d3b

    Regards.
    Reply With Quote Reply With Quote
  2. 24 Jun 2011 7:52 AM #12
    ZeusTheTrueGod
    ZeusTheTrueGod is offline
    Sencha User
    Join Date
    Jan 2008
    Posts
    62
    Vote Rating
    0
    ZeusTheTrueGod is on a distinguished road
      0  

    Default That has zero effect on real security

    That has zero effect on real security


    I see no reasons to send a hash of a password instead of the password itself. When your packets are intercepted the attacker will receive the hash instead of password. But that means the attacker will generate the same ajax request from him computer and send it to the server, because instead of comparing passwords your server compares hashes.

    Just use https and don't simulate the security.
    My ODesk profile - https://www.odesk.com/users/~~b3b73482afb3f2c5
    Reply With Quote Reply With Quote
  3. 26 Jun 2011 11:58 PM #13
    dj
    dj is offline
    Ext JS Premium Member dj's Avatar
    Join Date
    Mar 2007
    Location
    Germany
    Posts
    576
    Vote Rating
    2
    dj has a spectacular aura about dj has a spectacular aura about dj has a spectacular aura about
      0  

    Default


    Quote Originally Posted by jmariani View Post
    Are you sure your sha256 function behaves ok? Because it gives me very different values from sha256sum (a Linux command)

    For the string "123"

    Your function: a665a45920422f9d417e4867efdc4fb8a04a1f3fff1fa07e998e86f7f7a27ae3

    echo 123 | sha256sum: 181210f8f9c779c26da1d9b2075bde0127302ee0e3fca38c9a83f5b1dd8e5d3b

    Regards.
    You should use
    Code:
    echo -n 123 | sha256sum
    echo adds a newline, so you did not generate the SHA256 sum of "123" but of "123\n".

    Quote Originally Posted by ZeusTheTrueGod View Post
    I see no reasons to send a hash of a password instead of the password itself. When your packets are intercepted the attacker will receive the hash instead of password. But that means the attacker will generate the same ajax request from him computer and send it to the server, because instead of comparing passwords your server compares hashes.

    Just use https and don't simulate the security.
    Yes, it is a relative moderate security improvement to only send the hash of a password over the wire instead of the clear text password. The attacker doesn't know the password but nontheless can log into the account by just capturing the login request. But toss in some means to prevent replay attacks (like a timestamp and a nonce) and this solution becomes quite secure*. Even when you cannot switch your application over to SSL (e.g. because your hoster doesn't support it or you don't have the money for a certificate).

    * = Only "quite secure" because sophisticated man-in-the-middle attacks are still possible.
    Daniel Jagszent
    dɐɳiel@ʝɐgszeɳt.de <- convert to plain ASCII to get my email address
    Reply With Quote Reply With Quote
  4. 27 Jan 2013 12:54 AM #14
    urmilsetia
    urmilsetia is offline
    Sencha User
    Join Date
    Jul 2012
    Posts
    34
    Vote Rating
    -1
    urmilsetia is an unknown quantity at this point
      0  

    Default Sencha Touch

    Sencha Touch


    Hi guys,

    How can this be implemented in sencha touch 2.1
    Reply With Quote Reply With Quote