I need to authenticate a user from OUTSIDE of Aware, against his Aware password

If you have questions or if you want to share your opinion about Aware IM post your message on this forum
Post Reply
Jaymer
Posts: 2080
Joined: Tue Jan 13, 2015 10:58 am
Location: Tampa, FL
Contact:

I need to authenticate a user from OUTSIDE of Aware, against his Aware password

Post by Jaymer »

I'm having a VERY hard time using Aware as a back-end to Appgyver.
I have several major issues, so I was going to just abandon Aware as my REST provider and just use NodeJS.

NOW, the problem I have is with authentication.
I will definitely have users that are native Aware users... so their password is encoded by Aware's algorithm.

Some of those users will ALSO login with my native phone app - and my NodeJS authorization endpoint will receive a username and password.
That queries the MSSQL backend to authenticate.
So how do I see if the submitted password matches the encrypted password in MSSQL?

When I was passing in a PW to an Aware service, I was using the PWD_ENCRYPT() function to compare that result with the stored PW, but I don't have access to this from outside Aware.
Click Here to see a collection of my tips & hacks on this forum? Or search for "JaymerTip" in the search bar at the top.

Jaymer
Aware Programming & Consulting - Tampa FL
joben
Posts: 99
Joined: Wed Nov 06, 2019 9:49 pm
Location: Sweden
Contact:

Re: I need to authenticate a user from OUTSIDE of Aware, against his Aware password

Post by joben »

Interesting, and completely undocumented as far as I know.

This will not answer your question but might give some ideas whats going on.

The default Administrator account password is a plain MD5 hash:
password = 5f4dcc3b5aa765d61d8327deb882cf99

However, the new users don't get plain MD5 hashes. The key length is the same so I guess this is still MD5. So either the input modified before hashing, or the MD5 algorithm for the new accounts runs slightly different, like multiple passes. Or a combination of both. I think the first option is the correct one.

The user accounts lack an individual salt. So if you have multiple users with the same password, the hash will be the same.
Here is my theory of what is going on, would be great if any dev could confirm this:

password -> passwordSecretKey123 -> default MD5 Hash algorithm -> output hash
monkey -> monkeySecretKey123 -> default MD5 Hash algorithm -> output hash
toaster -> toasterSecretKey123 -> default MD5 Hash algorithm -> output hash

So in theory, if you could only acquire the "SecretKey123" part, it would probably be pretty easy to come up with an authentication solution.
Regards, Joakim

Image
mohd.documents
Posts: 53
Joined: Thu Sep 13, 2012 7:06 pm

Re: I need to authenticate a user from OUTSIDE of Aware, against his Aware password

Post by mohd.documents »

Interesting topic, I have the same problem.
Post Reply