topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Monday March 18, 2024, 9:15 pm
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: DONE: create a stand alone app that implements oplop  (Read 10045 times)

helmar

  • Supporting Member
  • Joined in 2009
  • **
  • Posts: 14
    • View Profile
    • Donate to Member
DONE: create a stand alone app that implements oplop
« on: November 29, 2012, 07:21 AM »
This was accidently posted under the "Coding Snack Guidelines" area and not the "Post New Requests Here", (can someone delete the post located at https://www.donation....php?topic=33063.new - thanks.)
There are various implementations of oplop (http://code.google.c...wiki/Implementations), but I am looking for a Windows based one, if possible done in AutoIT.

Some ideas that I would like to see, and I know this then makes the request outside of the canon for oplop:
select the length of the created password hash, with 8 being the least accepted length

Current canon states "Oplop also makes sure there is at least one digit and one letter in every unique account password in case a web site requires that sort of thing."
I would like to have a check box that allow the inclusion of special character from a predefined listing.  It could as simple as allow a ampersand (or char of the user's chosing), Yes / No?

Technical Details (http://code.google.c...plop/wiki/HowItWorks)
Oplop is a password hashing algorithm. The steps it takes to generate an account password is:
1.Concatenate the master password with the nickname (in that order!).
2.Generate the MD5 hash of the concatenated string.
3.Convert the MD5 hash to URL-safe Base64.
4.See if there are any digits in the first 8 characters. If no digits are found ...
  1.Search for the first uninterrupted substring of digits.
  2.If a substring of digits is found, prepend them to the Base64 string.
  3.If no substring is found, prepend a 1.
5.Use the first 8 characters as the account password.
« Last Edit: November 30, 2012, 11:00 AM by helmar, Reason: delete was made by Admin - thanks! »

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 40,896
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
Re: DONE: create a stand alone app that implements oplop
« Reply #1 on: November 29, 2012, 01:02 PM »
Seems like a great idea to me.  Would make a great NANY 2013 entry too.

skwire

  • Global Moderator
  • Joined in 2005
  • *****
  • Posts: 5,286
    • View Profile
    • Donate to Member
Re: DONE: create a stand alone app that implements oplop
« Reply #2 on: November 29, 2012, 01:34 PM »
I gave this an attempt but my results did not match what the author's website implementation produced.  For example, the author states that a nickname of "Amazon" and a master password of "secret password" should result in "sar4_zIs" as the generated password.  However, after following the rules on the author's page, this is what I get:

Concatenated string: Amazonsecret password
MD5 hash of the concatenated string: fe6b656b873349bcc7f69509d0ca5d79
Base64 hash of the MD5 hash: ZmU2YjY1NmI4NzMzNDliY2M3ZjY5NTA5ZDBjYTVkNzk=

The next set of rules only applies if there isn't a number within the first eight characters so, in this case, one exists and we should take the first eight characters for the final password: ZmU2YjY1  You can see that this isn't even close to what it's supposed to be: sar4_zIs

It could be that the Base64 function I'm using isn't URL-safe but I can't see how it would make that much difference.  Maybe it would...

Ath

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 3,610
    • View Profile
    • Donate to Member
Re: DONE: create a stand alone app that implements oplop
« Reply #3 on: November 29, 2012, 01:52 PM »
if possible done in AutoIT.
Why is that a requirement?

skwire

  • Global Moderator
  • Joined in 2005
  • *****
  • Posts: 5,286
    • View Profile
    • Donate to Member
Re: DONE: create a stand alone app that implements oplop
« Reply #4 on: November 29, 2012, 02:04 PM »
if possible done in AutoIT.
Why is that a requirement?

I suppose the OP could be familiar with AutoIT and would like to study the source if the app was written in it.   :)

Ath

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 3,610
    • View Profile
    • Donate to Member
Re: DONE: create a stand alone app that implements oplop
« Reply #5 on: November 29, 2012, 02:43 PM »
for the final password: ZmU2YjY1  You can see that this isn't even close to what it's supposed to be: sar4_zIs
I have the same results you get, and I'm using PascalScript (of Inno Setup fame ;))
Wonder Now I see how he manages to get an underscore in the Base64'd result, as that's not in my Base64 characterset (A-Z, a-z, + and / filled-up with = at the end as needed) :tellme:

Found it: base64url, has - and _ instead of + and /

But the result is still not even close :(
« Last Edit: November 29, 2012, 02:48 PM by Ath »

Ath

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 3,610
    • View Profile
    • Donate to Member
Re: DONE: create a stand alone app that implements oplop
« Reply #6 on: November 29, 2012, 02:57 PM »
But the result is still not even close :(
Checked the MD5 results of PascalScript with the values shown in the MD5 wiki page, and they're exactly the same, so most presumable he used his own secret password instead of 'secret password' for the example. Now let's see if we can hack his Amazon account... :greenclp:

skwire

  • Global Moderator
  • Joined in 2005
  • *****
  • Posts: 5,286
    • View Profile
    • Donate to Member
Re: DONE: create a stand alone app that implements oplop
« Reply #7 on: November 29, 2012, 03:37 PM »
so most presumable he used his own secret password instead of 'secret password' for the example

I don't think so since I ran the "Amazon/secret password" combo on his web implementation and got the correct output.

https://oplop.appspot.com/

Ath

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 3,610
    • View Profile
    • Donate to Member
Re: DONE: create a stand alone app that implements oplop
« Reply #8 on: November 29, 2012, 05:21 PM »
Oops, why didn't we 'see' that?  :-[
My current result:
Concatenated string: secret passwordAmazon
MD5 result: 0xb1aaf8ff322cc425df0589656079154b
Base64 encoded: sar4_zIsxCXfBYllYHkVSw==
Oplop password: sar4_zIs


The culprit is the red marked 0x, the output of both our MD5 encoders is a bin to hex-string conversion. That has to be recoded into binary data, then fed to a base64url encoder to get the desired result :up:

And the concatenation is expected to be "secret password" + "mnemonic", and not the other way around :tellme:
(saw that when I eventually re-did the implementation in AutoIt, just for the fun of it :P)

Code: AutoIt [Select]
  1. #include <Crypt.au3>
  2. #include "Base64.au3"
  3.  
  4. ; oplop, returns private_password + mnemonic -> oplop passwordhash
  5. Func oplop($secret, $mnemonic)
  6.     Local $i, $b = False
  7.     ; Next 2 Global vars should be Local, now global only for msgbox use :-)
  8.     Global $md5 = _Crypt_HashData($secret & $mnemonic , $CALG_MD5)
  9.     Global $base64 = StringReplace(StringReplace(_Base64Encode($md5, 256), "/","_"), "+","-") ; additional conversions for base64url
  10.     Local $r = ""
  11.     For $i = 1 To 8
  12.         If StringRegExp(StringMid($base64, $i, 1), "\d") Then $b = True
  13.     Next
  14.     If Not $b Then
  15.         $i = 8
  16.         While $i <= StringLen($base64)
  17.             If StringRegExp(StringMid($base64, $i, 1), "\d") Then
  18.                 If Not $b Then
  19.                     $b = True
  20.                     $r &= StringMid($base64, $i, 1)
  21.                 Else
  22.                     $r &= StringMid($base64, $i, 1)
  23.                 EndIf
  24.             Else
  25.                 If $b Then $i = StringLen($base64)
  26.             EndIf
  27.             $i += 1
  28.         WEnd
  29.     EndIf
  30.     Return StringLeft($r & $base64, 8)
  31.  
  32. Local $secret = "secret password", $mnemonic = "Amazon"
  33.  
  34. Local $result = oplop($secret, $mnemonic)
  35.  
  36. MsgBox(0,"test","Concatenated string: " & $secret & $mnemonic & @CRLF & "MD5 result : " & $md5 & @CRLF & "Base64 encoded : " & $base64 & @CRLF & "Oplop password: " & $result)

It uses the base64 coding routines found here

helmar

  • Supporting Member
  • Joined in 2009
  • **
  • Posts: 14
    • View Profile
    • Donate to Member
Re: DONE: create a stand alone app that implements oplop
« Reply #9 on: November 30, 2012, 11:11 AM »
Thanks everyone.

mouser - thanks for the comments and idea about NANY 2013 entry.

skwire and Ath - thanks for the time you have put into this, I do appreciate it.

The reason I asked about in in AutoIT is exactly as skwire surmised, I have used it before.  I code, but I would not say I am a coder (yet).

I tried to get the "Base64.au3" from the link you posted, but everytime I get the zip file, it shows as corrupt.  Is there any other location for that include file?

Thanks very much.

4wd

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 5,640
    • View Profile
    • Donate to Member
Re: DONE: create a stand alone app that implements oplop
« Reply #10 on: November 30, 2012, 07:30 PM »
Is there any other location for that include file?

Attached.