Go Back   vb.org Archive > vBulletin 3 Discussion > vB3 Programming Discussions
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools Display Modes
  #1  
Old 05-31-2008, 11:15 PM
MaXeL3G3ND MaXeL3G3ND is offline
 
Join Date: Dec 2007
Location: ::1
Posts: 19
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default Possible to change encryption used in vB?

Hello there,

Today i was wondering, is it possible to change the encryption used in vBulletin,
to f.ex. lets say whirlpool instead? I also wonder how much work would be needed?

I don't want to hear about converting the passwords that are already stored,
i only want to know how hard it is possible to change the encryption used?

An example of a strong algorithm which works in PHP5 atleast: (havent tried in PHP4)
PHP Code:
echo hash'whirlpool''test' ); 
Which spits out test as a 512-bit whirlpool encryption.

Now i just wonder if anyone could guide me just a tiny but in what has to be done?

Cause i can already guess the commands are different if i'm going to try whirlpool.


Thank you for your time.

PS: I wondered which section to put it in, but due to it's about php programming
i thought this section would fit the best.

PPS: Yes i already know html, css, and some php already though i don't do advanced stuff.
Reply With Quote
  #2  
Old 05-31-2008, 11:55 PM
MoT3rror MoT3rror is offline
 
Join Date: Mar 2007
Posts: 423
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Well you will have to change the md5 encryption in the javascript when any password is submitted. You will also have to modify vB_Session::vB_Session if you want to change how cookies are read in the system. You will also need to modify vB_DataManager_User::hash_password. There is probably more places but that covers a lot right there.
Reply With Quote
  #3  
Old 06-01-2008, 09:40 AM
Dismounted's Avatar
Dismounted Dismounted is offline
 
Join Date: Jun 2005
Location: Melbourne, Australia
Posts: 15,047
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

The current hash used in vBulletin is more than enough. And possibly much faster as well.
Reply With Quote
  #4  
Old 06-01-2008, 01:07 PM
SEOvB's Avatar
SEOvB SEOvB is offline
 
Join Date: May 2007
Location: Indianapolis
Posts: 2,451
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I think it'd be more hassle then its worth evne though thats not want you wanted to hear. you'd hve to go replace every instance of how the pw is stored, and recalled and all the javascript files. Probably an 11/10 on the hard stuff to do meter
Reply With Quote
  #5  
Old 06-01-2008, 01:49 PM
MaXeL3G3ND MaXeL3G3ND is offline
 
Join Date: Dec 2007
Location: ::1
Posts: 19
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Well it sure would be hard work, though Whirlpool is way more safe than md5.
I work with security, and try see how many examples you can find on cracking
whirlpool compared to md5. (i didn't find any, only wordlists and bruteforcing might work).

When compared to speed, it takes 0.005 seconds to spit out an md5 hash aprox.
And when using whirlpool, that takes from 0.005-0.025 seconds aprox, so the
difference is it would be a little slower, compared to that the security on a forum
would suddenly be better.

Thanks anyways for your replies.

@Dismounted --> I'm sorry to say i've seen examples of vB-admin passwords getting
cracked within 7 days several times, and that was strong non-dictionary passwords. This is not ment as an offence in anyway.
Reply With Quote
  #6  
Old 06-02-2008, 09:14 AM
Marco van Herwaarden Marco van Herwaarden is offline
 
Join Date: Jul 2004
Posts: 25,415
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

AFAIK the vBulletin multiple salted md5 hashes have not been compromised in any way. Also no rainbow tables exist for the vB hash AFAIK.

If you have information that it could be bruteforced or cracked in anyway, please sent me a PM with the details.
Reply With Quote
  #7  
Old 06-03-2008, 04:24 AM
Dismounted's Avatar
Dismounted Dismounted is offline
 
Join Date: Jun 2005
Location: Melbourne, Australia
Posts: 15,047
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Even dictionary words should not be able to be simply bruteforced.

Simple dictionary word hashed the vBulletin way: 468e7c840e8eb3b2e221dd9caa178d00
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 08:27 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04178 seconds
  • Memory Usage 2,214KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (1)bbcode_php
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (7)post_thanks_box
  • (7)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (7)post_thanks_postbit_info
  • (7)postbit
  • (7)postbit_onlinestatus
  • (7)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete