Register Members List Search Today's Posts Mark Forums Read

Reply
 
Thread Tools
  #1  
Old 01 Jun 2008, 00:15
MaXeL3G3ND MaXeL3G3ND is offline
 
Join Date: Dec 2007
Possible to change encryption used in vB?

Hello there,

Today i was wondering, is it possible to change the encryption used in vBulletin,
to f.ex. lets say whirlpool instead? I also wonder how much work would be needed?

I don't want to hear about converting the passwords that are already stored,
i only want to know how hard it is possible to change the encryption used?

An example of a strong algorithm which works in PHP5 atleast: (havent tried in PHP4)

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

Which spits out test as a 512-bit whirlpool encryption.

Now i just wonder if anyone could guide me just a tiny but in what has to be done?

Cause i can already guess the commands are different if i'm going to try whirlpool.


Thank you for your time.

PS: I wondered which section to put it in, but due to it's about php programming
i thought this section would fit the best.

PPS: Yes i already know html, css, and some php already though i don't do advanced stuff.
Reply With Quote
  #2  
Old 01 Jun 2008, 00:55
MoT3rror MoT3rror is offline
 
Join Date: Mar 2007
Well you will have to change the md5 encryption in the javascript when any password is submitted. You will also have to modify vB_Session::vB_Session if you want to change how cookies are read in the system. You will also need to modify vB_DataManager_User::hash_password. There is probably more places but that covers a lot right there.
Reply With Quote
  #3  
Old 01 Jun 2008, 10:40
Dismounted's Avatar
Dismounted Dismounted is online now
 
Join Date: Jun 2005
Real name: Hanson
The current hash used in vBulletin is more than enough. And possibly much faster as well.
__________________
Former vBulletin.org Staff Member

View My Modifications
29 Releases and Counting... Latest Modification: dmActivityStream - vBookie Integration (4.x)

Please do not PM me to ask for support - please use the relevant thread or forum.
Reply With Quote
  #4  
Old 01 Jun 2008, 14:07
SEOvB's Avatar
SEOvB SEOvB is offline
 
Join Date: May 2007
Real name: Jarvis
I think it'd be more hassle then its worth evne though thats not want you wanted to hear. you'd hve to go replace every instance of how the pw is stored, and recalled and all the javascript files. Probably an 11/10 on the hard stuff to do meter
__________________
vBulletin Services and vBulletin Hosting
Reply With Quote
  #5  
Old 01 Jun 2008, 14:49
MaXeL3G3ND MaXeL3G3ND is offline
 
Join Date: Dec 2007
Well it sure would be hard work, though Whirlpool is way more safe than md5.
I work with security, and try see how many examples you can find on cracking
whirlpool compared to md5. (i didn't find any, only wordlists and bruteforcing might work).

When compared to speed, it takes 0.005 seconds to spit out an md5 hash aprox.
And when using whirlpool, that takes from 0.005-0.025 seconds aprox, so the
difference is it would be a little slower, compared to that the security on a forum
would suddenly be better.

Thanks anyways for your replies.

@Dismounted --> I'm sorry to say i've seen examples of vB-admin passwords getting
cracked within 7 days several times, and that was strong non-dictionary passwords. This is not ment as an offence in anyway.
Reply With Quote
  #6  
Old 02 Jun 2008, 10:14
Marco van Herwaarden Marco van Herwaarden is offline
 
Join Date: Jul 2004
AFAIK the vBulletin multiple salted md5 hashes have not been compromised in any way. Also no rainbow tables exist for the vB hash AFAIK.

If you have information that it could be bruteforced or cracked in anyway, please sent me a PM with the details.
__________________
Marco van Herwaarden
Ex vBulletin.org Coordinator
Reply With Quote
  #7  
Old 03 Jun 2008, 05:24
Dismounted's Avatar
Dismounted Dismounted is online now
 
Join Date: Jun 2005
Real name: Hanson
Even dictionary words should not be able to be simply bruteforced.

Simple dictionary word hashed the vBulletin way: 468e7c840e8eb3b2e221dd9caa178d00
__________________
Former vBulletin.org Staff Member

View My Modifications
29 Releases and Counting... Latest Modification: dmActivityStream - vBookie Integration (4.x)

Please do not PM me to ask for support - please use the relevant thread or forum.
Reply With Quote
Reply



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


New To Site? Need Help?

All times are GMT. The time now is 05:51.

Layout Options | Width: Wide Color: