Duplicating Wildfires Blowfish Implementation

I am trying to recreate the same blowfish results which Wildfire generates for the purpose of reproducing the same password as in the jiveUser encryptedpassword field. I have read through src/java/org/jivesoftware/wildfire/auth/AuthFactory.java

The first them I am trying to figure out is whether it is using CBC or ECB mode. If it is CBC where is the initialization vector stored ? So I am assuming ECB.

I have the passwordKey from the DB and have tried the following so far:

None of those produce the same encryptedpassword (nor can they decrypt for that matter).

Would anyone happen to know what I am doing wrong or has anyone successfully gotten the same encrypted results as wildfire using php or any other language (preferably PHP or something I can run via command line). I could only find two relating posts:

But it seems neither of those came up with a resolution other than not using the blowfish encrypted passwords.

Any and all help is welcome !

Cheers, RioGD

riogd,

It would be great to get this working and then documented in the wiki.

You might check out org.jivesoftware.util.Blowfish. It looks like we’'re using CBC. Otherwise, the rest is beyond me, but please let me know how we can help.

Regards,

Matt

Thank you ! I couldn’‘t find where your Blowfish class was (still getting used to reading java) so thanks to your pointing me right to it, I am now digging through it. I will keep you apprised of what I find out and if I don’'t make any progress I will ask in the dev chat.

Cheers,

RioGD

Well at present I think duplicating the same encrypted passwords is not going to be possible. You are right that CBC mode is being used but the problem comes from the IV (initialization vector) being generated each time randomly. The problem comes from being able to deduce/calculate the randomly generated IV from the encrypted password.

The side effect of this is that it is unlikely that two encryptions of the same password will ever be the same. You should be able to duplicate this by creating a test user, and setting a password for them, check the encrypted value, then change the password to the same password again, and you will see the encrypted value is different.

Thanks again,

RioGD

RioGD,

Isn’‘t it better if two encrypted passwords aren’'t the same? It seems like that would make it harder to crack the encryption key. Are you able to decrypt using PHP and the secret key?

Regards,

Matt

Hi,

as we did discuss this in the chat today, a little summary:

a) Creating a very short standalone java program using wildfire.jar or only some of the classes is pretty easy. But launching it every time a user wants to login costs a lot of cpu power.

b) Creating a standalone servlet application using Jetty was not discussed, so one could keep the program mentioned above running all the time on localhost without a relation/connection to Wildfire and with ~4 MB memory usage.

c) Creating a Plugin (or WebService) is a little bit more complex but one can use the existing Wildfire API to verify a password.

LG

Matt,

In a sense you are right, it just makes it impossible to auth the user without first decrypting the password. I have mostly only dealt with one way encryption where you auth by making sure the encrypted string matches the encrypted one in the database, this makes it much more difficult to recover the original plaintext password by not having it reversible.

Unfortunately I can’‘t decrypt it because of the random IV. The only PHP libraries I have found to handle CBC require specifying the IV. The java class being used has some method of recovering the random IV from the encrypted password and then using it to decrypt (secret key / IV -> password). I do not see any way of duplicating it as I don’'t fully understand how you can recover the IV from the encrypted string.

LG,

Among other things I am going to use this for, it is going to be used to allow users to view their logs on the server and will probably see at most 1login per 30 minutes (overly exagerated average, realistically 4-5 logins a day). LDAP would solve the problem but won’‘t be an option for probably another 6 months. Until then I would rather let the users only deal with one “chat related password” and thus auth against the Wildfire DB. Option (a) that you mention would be more than sufficient for my needs, only I don’'t know how to create such a java program.

Cheers,

RioGD

Hi,

Did anything ever come of this thread? I am facing the same situation needing to use the jiveuser table to authenticate users from PHP land for log access. Any ideas?

thanks!

daryl

I need to do this too. It should be trivial if I can be told what the IV is for decryption? From what I can see in the src:

// get the CBC IV

byte[] cbciv = new byte[BlowfishCBC.BLOCKSIZE];

Am I on the right track here? If so, can someone tell me what that translates to as a hex string?

If I can get this answered, I’'ll be happy to release a Perl helper app for all you PHP/Perl people needing enc/decrypting tools.

Message was edited by: cliveholloway

Message was edited by: cliveholloway