logo
Apache Lounge
Webmasters

 


About

Forum Index Downloads Search Register Log in  RSS Apache Lounge
 



Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Apache Lounge is not sponsored.

Your donations will help to keep this site alive and well, and continuing building binaries.



How Apache Encrypted Passwords really work

 
Post new topic   Reply to topic    Apache Forum Index -> How-to's & Documentation & Tips



View previous topic :: View next topic  
Author Message
tdonovan
Moderator


Joined: 17 Dec 2005
Posts: 610
Location: Milford, MA, USA

PostPosted: Sun 26 Aug '07 4:17    Post subject: How Apache Encrypted Passwords really work Reply with quote

I have needed to figure out the way Apache encrypted passwords work from time-to-time, especially using the new DBD database stuff for authentication.

I contributed my notes to the Apache WIKI, but since it takes a while for this to work its way into the Apache docs, I'll post the info here too.

-tom-
-------------------------------------------------------------------------
Basic Authentication

There are four formats that Apache recognizes for basic-authentication passwords. Note that not all formats work on every platform:
    1. PLAIN TEXT (i.e. unencrypted) passwords: Windows, BEOS, & Netware only.
    2. CRYPT passwords: Unix only. Uses the traditional Unix crypt(3) function with a random 32-bit salt (only 12 bits used) and the first 8 characters of the password.
    3. SHA1 passwords: "{SHA}" + Base64-encoded SHA-1 digest of the password.
    4. MD5 passwords: "$apr1$" + the result of an Apache-specific algorithm using an iterated (1,000 times) MD5 digest of various combinations of a random 32-bit salt and the password. See the APR source file apr_md5.c for the details of the algorithm.


The htpasswd program can be used to generate values

MD5
Code:

htpasswd -nbm myName myPassword
 myName:$apr1$r31.....$HqJZimcKQFAMYayBlzkrA/

SHA1
Code:

htpasswd -nbs myName myPassword
 myName:{SHA}VBPuJHI7uixaa6LQGWx4s+5GKNE=

CRYPT
Code:

htpasswd -nbd myName myPassword
 myName:rqXexS6ZhobKA


The OpenSSL command-line program can also be used to generate CRYPT and MD5 values
OpenSSL knows the Apache-specific MD5 algorithm.

MD5
Code:

openssl passwd -apr1 myPassword
 $apr1$qHDFfhPC$nITSVHgYbDAK1Y0acGRnY0

CRYPT
Code:

openssl passwd -crypt myPassword
 qQ5vTYO3c8dsU

The OpenSSL command line program can be used to validate CRYPT or MD5 passwords

CRYPT
The salt for a CRYPT password is the first two characters (converted to a binary value).

To validate myPassword against rqXexS6ZhobKA
Code:

openssl passwd -crypt -salt rq  myPassword
 Warning: truncating password to 8 characters
 rqXexS6ZhobKA

Note that using myPasswo instead of myPassword will produce the same result because only the first 8 characters of CRYPT passwords are considered.

MD5
The salt for an MD5 password is between $apr1$ and the following $ (converted to a binary value - max 8 chars).

To validate myPassword against $apr1$r31.....$HqJZimcKQFAMYayBlzkrA/
Code:

openssl passwd -apr1 -salt r31.....  myPassword
 $apr1$r31.....$HqJZimcKQFAMYayBlzkrA/

Database password fields for mod_dbd

The SHA1 variant is probably the most useful format for DBD authentication. Since the SHA1 and Base64 functions are commonly available, other software can populate a database with encrypted passwords which are usable by Apache basic authentication.
To create Apache SHA1-variant basic-authentication passwords in other languages

PHP
Code:

'{SHA}' . base64_encode(sha1($password, TRUE))


Java
Code:

"{SHA}" + new sun.misc.BASE64Encoder().encode(java.security.MessageDigest.getInstance("SHA1").digest(password.getBytes()))


ColdFusion
Code:

"{SHA}" & ToBase64(BinaryDecode(Hash(password, "SHA1"), "Hex"))


Ruby
Code:

require 'digest/sha1'
require 'base64'
'{SHA}' + Base64.encode64(Digest::SHA1.digest(password))


C or C++
Code:

void apr_sha1_base64(const char *clear, int len, char *out)


PostgreSQL (with the contrib/pgcrypto functions installed)
Code:

'{SHA}'||encode(digest(password,'sha1'),'base64')


Digest Authentication

Apache only recognizes one format for digest-authentication passwords - the MD5 hash of the string user:realm:password as a 32-character string of hexadecimal digits.

realm is the Authorization Realm argument to the AuthName directive.
Database password fields for mod_dbd

Since the MD5 function is commonly available, other software can populate a database with encrypted passwords which are usable by Apache digest authentication.
To create Apache digest-authentication passwords in other languages

PHP
Code:

md5($user . ':' . $realm . ':' .$password)


Java
Code:

byte b[] = java.security.MessageDigest.getInstance("MD5").digest( (user + ":" + realm + ":" + password ).getBytes());
java.math.BigInteger bi = new java.math.BigInteger(b);
String s = bi.toString(16);
if (s.length() % 2 != 0)  s = "0" + s;
// String s is the encrypted password


ColdFusion
Code:

LCase(Hash( (user & ":" & realm & ":" & password) , "MD5"))


Ruby
Code:

require 'digest/md5'
Digest::MD5.hexdigest(user + ':' + realm + ':' + password)


PostgreSQL (with the contrib/pgcrypto functions installed)
Code:

encode(digest( user || ':' || realm || ':' || password , 'md5'), 'hex')
Back to top


Post new topic   Reply to topic    Apache Forum Index -> How-to's & Documentation & Tips
Page 1 of 1