ASP md5 to PHP conversion

[mattisthenation]

I have been put in the position where I need to convert an asp e-commerce site to php. Almost everything is fine except for one thing...

 

The ASP E-commerce program ( which is called bvc 2004 ) has all the customers passwords encrypted with an md5 algorithm in a way that I can't replicate in PHP. I have the encrypted password and the salt (from asp) available, as well as the algorithm for converting the password.

 

Has anyone had any experience with this? Any help would be greatly appreciated

[ghqwerty]

if you wanted to find the pass word you would just have to write

 

$password = md5(sourceofpassword)

 

eg to check if something is correct

 

user inputs user name and pass

$sql = "select username from members where username = '".$username."' and password = '".md5($password)."' LIMIT 1";

[mattisthenation]

Right,

 

The problem is, the md5 encrypted field I need to compare it to was in made in ASP, like this:

 

$asp_md5_encoded_password = "8RwrzUndwugSs08EPwicyQ";
$salt = "3072e6de-6d62-42a5-9190-5e01a9e4dc6e";
$actual_password = "something";

if($actual_password == crypt($salt . $actual_password, $asp_md5_encoded_password))
          do something...

 

So, that should work, but the way the password was encoded in asp is different then in php.

 

Is there a solution that will get php to encrypt the password the same as asp would?

 

note: the actual password isn't the correct one.

 

 

[ghqwerty]

no there is no way to do this unless you use a md5 rainbow tale

 

[DarkWater]

Your MD5 hash is only 22 characters, when MD5 hashes are really 32 characters long.  It's being truncated by the database because the column is too short, or you're manually truncating it.  Check.

[PFMaBiSmAd]

the algorithm for converting the password

You would need to post that as well.

[xtopolis]

no there is no way to do this unless you use a md5 rainbow tale

rainbow tables don't play well with salts =/, it would be futile to hack

 

If the OPs situation is a small portion of users that are active daily, he could rewrite a portion of the asp site to send the password to a local php script to create a hash and store it in a secondary column/database, and once all passwords had been duplicated switch over to php.

[mattisthenation]

I don't think that is an option. There are about 14,000 users some who may be more active or inactive then others. So, I have included the asp code for the encryption and two passwords, their salt, and their resulting md5 encrypted form from the asp code.

 

ASP encryption:

The MD5Encryption class instance gets made, then Encode(password, salt) gets called on it

Public Class MD5Encryption

Public Overloads Function Encode(ByVal message As String) As String

	'The string we wish to encrypt
	Dim strPlainText As String = message

	'The array of bytes that will contain the encrypted value of strPlainText
	Dim hashedDataBytes As Byte()

	'The encoder class used to convert strPlainText to an array of bytes
	Dim encoder As New UTF8Encoding

	'Create an instance of the MD5CryptoServiceProvider class
	Dim md5Hasher As New MD5CryptoServiceProvider

	'Call ComputeHash, passing in the plain-text string as an array of bytes
	'The return value is the encrypted value, as an array of bytes
	hashedDataBytes = md5Hasher.ComputeHash(encoder.GetBytes(strPlainText))

	Return Base64.ConvertToBase64(hashedDataBytes)
End Function

Public Overloads Function Encode(ByVal message As String, ByVal salt As String) As String
	Return Encode(salt & message)
End Function


End Class

 

here are the passwords:

 

pw: passwordtest

md5: XS3sLt9GS0PlaQA==

salt: 62c9db07-cd2e-4bf6-b4e1-9fee9b982f73

 

pw: testpassword

md5: IaVHok/XS3sLt9GS0PlaQA==

salt: b11ced8c-02fe-445c-bfcc-46dc4e40efa1

 

Thanks for your quick responses and help so far. Any more assistance will be greatly appreciated.

[mattisthenation]

Any ideas?

 

I think that I have come to the conclusion that it's not possible to do, but if anyone has any thoughts, please let me know