0

I am using vernemq to authorize users from database using SHA256 algorithm. I observe that when creating new entry in table using buildin mqsql function SHA2,

INSERT INTO vmq_auth_acl 
    (mountpoint, client_id, username, 
     password, publish_acl, subscribe_acl)
SELECT 
    '', 'newUser2', 'newUser2', SHA2("CJJPL9", 256), 
     '[{"pattern":"botOut"}] ', 
     '[{"pattern":"botIn/#"}]';

which generates hash value something like this 54d0e30d0a00d86451a3353a2123fc1f006faaba6b55ef0d168390f26cbab82a and Vernemq server successfully verifies this user when logged in using CJJPL9 password.

But when I add this entry into this table from python code using passlib library sha256_crypt.encrypt("CJJPL9"), which generates hash as follows $5$rounds=80000$wnsT7Yr92oJoP28r$cKhJImk5mfuSKV9b3mumNzlbstFUplKtQXXMo4G6Ep5. I know, due to salt, the hashs will be different, but there is a clear difference in the formatting of both hashes and as a result, verneMQ server fails to verify the credentials for this user. The formatting of passlib library says that it keeps only 43 characters from 256-bit checksum. I also tried testing by only keeping the checksum part of the passlib hash string, but still no luck.

I want to know what is the difference between encryption of MySQL SAH2("CJJPL9", 256) and sha256_crypt.encrypt("CJJPL9").

Anum Sheraz
  • 2,383
  • 1
  • 29
  • 54
  • 1
    When I read "authorize users with SHA2" I read "login system with an alarmingly weak hash used". At the absolute least you need to use a password-specific hash like [Bcrypt](https://en.wikipedia.org/wiki/Bcrypt) that's deliberately slow and difficult to brute-force. SHA2-256 is a high-speed hash that can be done at *terahashes per second* on specialized hardware. It's utterly useless for passwords, even at a large number of rounds. – tadman Jul 10 '19 at 00:22
  • You appear to be looking at hex encoding versus base-64 encoding. – user207421 Jul 10 '19 at 00:52
  • @tadman Thanks for pointing that out. Yes I'd love to, but vernemq doesn't supports `Bcrypt` for mysql yet. – Anum Sheraz Jul 10 '19 at 09:58
  • @user207421 you might be rite. Sorry m new to all this. I'll check if passlib supports base64 encoding. Meanwhile `hashlib` library seems to do the work. – Anum Sheraz Jul 10 '19 at 10:00
  • 1
    Hi AnumSheraz, VerneMQ developer here. You're right bcrypt isn't supported yet with mysql - it's in the backlog, we just didn't get around to it yet. I think @user207421 is correct that the encoding is the problem. – Lars Hesel Christensen Jul 10 '19 at 14:34
  • MySQL doesn't and probably never will support Bcrypt, or if it does, Bcrypt will likely be obsolete and we'll have moved on to something better. This is why doing hash validation within MySQL is the wrong place to do it. MySQL does not even support the type of SHA2-256 hashing that `sha256_crypt` does, as it looks like that does 80,000 rounds of it. MySQL does *one*. – tadman Jul 10 '19 at 16:59
  • You could emulate this with `SHA2(SHA2(SHA2(...)))` nested 80,000 times, but that seems preposterous and would probably be stupidly slow because MySQL is not meant for that. – tadman Jul 10 '19 at 17:00
  • hi @tadman when VerneMQ eventually supports bcrypt with MySQL it would be client-side (that is the VerneMQ broker would do the bcrypt verification). – Lars Hesel Christensen Jul 12 '19 at 07:19

0 Answers0