UNIX Socket FAQ

A forum for questions and answers about network programming on Linux and all other Unix-like systems

You are not logged in.

#1 2010-08-03 04:19 PM

RipRage
Member
From: England
Registered: 2010-01-06
Posts: 146

Re: Creating a database

Dear experts
I would like to add a register/login feature to my program. I will be very grateful if anyone can give me hints on how i can create a secure database to store the users login information. the simple code below just stores the information in a file. witch of course is not a good method unless I use some sort of encryption...

#include <stdio.h>
#include <string.h>

struct user_info {
	char user[30];
	char pass[30];
};

int main()
{
	FILE *fp;
	struct user_info store;
	int a, b;

	printf("Please enter a username: ");
	gets(store.user);
	printf("Please enter a password: ");
	gets(store.pass);

	while (1) {
		a = strlen(store.user);
		if (a >= 5 && a <= 15) { 
			b = strlen(store.pass);
			if (b >= 5 && b <= 15) {
				printf("Creating account....\n");
				break;
			} else {
				printf("Please enter a password using characters between 5 and 15!\nTry again: ");
				gets(store.pass);
				continue;
			}
		} else {
			printf("Please enter a username using charcters between 5 and 15!\nTry again: ");
			gets(store.user);
			continue;
		}
	}

	if ((fp = fopen("User.dat", "w")) == NULL) {
		printf("Failed to create account!\n");
		return 1;
	} else {
		fprintf(fp, "User: %s\tPass: %s\t", store.user, store.pass);
		fclose(fp);
	}

	printf("Account has been created.....\n\n");

	return 0;
}

Looking forward to your replys :)

Offline

#2 2010-08-04 02:13 PM

i3839
Oddministrator
From: Amsterdam
Registered: 2003-06-07
Posts: 2,239

Re: Creating a database

You shouldn't store the passwords as given, nor encrypted. Instead you should
hash them together with the username and a salt in a secure way. After that
it doesn't really matter how you store it, as it doesn't contain any sensitive
information.

Don't use MD5 or SHA-1.

Offline

#3 2010-08-11 03:00 PM

RipRage
Member
From: England
Registered: 2010-01-06
Posts: 146

Re: Creating a database

Thanks for your reply. I'm still not sure how i would do that, would i need to create a function witch hashes the 2 strings together and a simple fprintf() into a file to store them? i imagine i would need to create a second function to decrypt the hashes back to a readable string? if anyone can suggest more information on hash functions and how they work, i will be most grateful. would like to grok them!

Many thanks

Offline

#4 2010-08-11 07:58 PM

i3839
Oddministrator
From: Amsterdam
Registered: 2003-06-07
Posts: 2,239

Re: Creating a database

Offline

#5 2010-08-11 08:12 PM

RobSeace
Administrator
From: Boston, MA
Registered: 2002-06-12
Posts: 3,847
Website

Re: Creating a database

Offline

#6 2010-08-11 08:20 PM

RobSeace
Administrator
From: Boston, MA
Registered: 2002-06-12
Posts: 3,847
Website

Re: Creating a database

Offline

#7 2010-08-11 09:03 PM

RipRage
Member
From: England
Registered: 2010-01-06
Posts: 146

Re: Creating a database

Holy cow! that's alot to take in for a self learner like myself hehe :-) but thank you guys your knowledge is increadble. You have now given me a notation, now for me to convert it to code :-)

Thanks again

Offline

#8 2010-08-11 10:38 PM

i3839
Oddministrator
From: Amsterdam
Registered: 2003-06-07
Posts: 2,239

Re: Creating a database

Offline

#9 2010-08-12 01:20 PM

RobSeace
Administrator
From: Boston, MA
Registered: 2002-06-12
Posts: 3,847
Website

Re: Creating a database

Offline

#10 2010-08-12 04:05 PM

RipRage
Member
From: England
Registered: 2010-01-06
Posts: 146

Re: Creating a database

OK guys, iv been looking at hash functions for an hour or so this morning, and I thought I would have a go at making my own... To keep this simple I haven't included a salt (that's the next stage) instead I have just based it on the old RSHash function, so I can understand the notation of hashing the user-name + password together in code :-)... also stuck on a windows machine at this current time so no crypt() function witch I believe is only Unix based...

here it goes...

/* My first hash function */

#include <stdio.h>
#include <string.h>

// Create a function witch hashes username & password together

int hashit(char *str1, char *str2, unsigned int len) 
{
	unsigned int b = 378551;
	unsigned int a = 63689;
	unsigned int hash = 0;
	unsigned int i = 0;

	for (i = 0; i < len; str1++, str2++, i++) {
		hash = hash * a + (*str1) + (*str2);
		a = a * b;
	}

	printf("The hash is: %u\n", hash);

	return hash;
}

// Main

int main()
{
	char user[30];         // Username
	char pass[30];         // Password
	int ulen, plen, total; // Length of username + password

	printf("Hash test...\n");

	printf("\nPlease enter a username: ");
	gets(user);
	printf("\nPlease enter a password: ");
	gets(pass);

	// Check character length on input

	while (1) {
		
		ulen = strlen(user);
		
		if (ulen >= 5 && ulen <= 10) {
			
			plen = strlen(pass);
			
			if (plen >= 5 && plen <= 10) {
				
				total = ulen + plen;
				
				printf("\nDisplay results...\n\nUser: %s\tUser_len: %d\tPass: %s\tPass_len: %d\tTotal: %d\t\n\n", // Show results
					user, ulen, pass, plen, total);
				
				hashit(user, pass, total); // Hash the strings
				
				break;

			} else {
				
				printf("\nPlease enter a password using charcters between 5 and 10!\nTry again: ");
				gets(pass);
				continue;
			}
		} else {
			
			printf("\nPlease enter a username using charcters between 5 and 10!\nTry again: ");
			gets(user);
			continue;
		}
	}

	getchar();

	return 0;
}

Output....

Hash test...

Please enter a username: Daniel

Please enter a password: hashing

Display results...

User: Daniel    User_len: 6     Pass: hashing   Pass_len: 7     Total: 13


The hash is: 4225718179



It Works... Looking forward to hearing your great knowledge once again :-)

Offline

#11 2010-08-12 07:22 PM

RobSeace
Administrator
From: Boston, MA
Registered: 2002-06-12
Posts: 3,847
Website

Re: Creating a database

Offline

#12 2010-08-13 11:43 PM

RipRage
Member
From: England
Registered: 2010-01-06
Posts: 146

Re: Creating a database

Offline

#13 2010-08-14 07:13 PM

RobSeace
Administrator
From: Boston, MA
Registered: 2002-06-12
Posts: 3,847
Website

Re: Creating a database

Offline

#14 2010-08-14 07:43 PM

RipRage
Member
From: England
Registered: 2010-01-06
Posts: 146

Re: Creating a database

Damn it! I know all this, I'm annoyed with myself for even thinking of that notation in the first place :-(... Oh well back to the drawing board, need to look up and see if windoze have any functions for creating ssl sockets...

Offline

#15 2010-08-15 10:43 AM

i3839
Oddministrator
From: Amsterdam
Registered: 2003-06-07
Posts: 2,239

Re: Creating a database

Well, it's not such a bad idea for account creation, because then it doesn't
really matter. It's just that for every login after that you have to do it the
conventional way of sending the username + password, so you're only making
the implementation more complicated.

But if you never want to send the plain password then you can do double
hashing, with the client sending a hash, and the server hashing that again
with its salt added. If you want the client to be stateless but still protect a bit
against pre-computed dictionary attacks, then use always the same salt for the
client hashing. E.g. hash username + fixedsalt + password on the client, and
just username + clienthash + salt on the server.

Offline

#16 2010-08-15 04:43 PM

RobSeace
Administrator
From: Boston, MA
Registered: 2002-06-12
Posts: 3,847
Website

Re: Creating a database

Offline

#17 2010-08-16 01:36 PM

i3839
Oddministrator
From: Amsterdam
Registered: 2003-06-07
Posts: 2,239

Re: Creating a database

Offline

#18 2010-08-16 10:37 PM

RobSeace
Administrator
From: Boston, MA
Registered: 2002-06-12
Posts: 3,847
Website

Re: Creating a database

Offline

#19 2010-08-17 11:59 AM

i3839
Oddministrator
From: Amsterdam
Registered: 2003-06-07
Posts: 2,239

Re: Creating a database

Offline

#20 2010-08-17 01:25 PM

RobSeace
Administrator
From: Boston, MA
Registered: 2002-06-12
Posts: 3,847
Website

Re: Creating a database

Offline

#21 2010-08-17 03:18 PM

i3839
Oddministrator
From: Amsterdam
Registered: 2003-06-07
Posts: 2,239

Re: Creating a database

Offline

#22 2010-08-17 03:22 PM

i3839
Oddministrator
From: Amsterdam
Registered: 2003-06-07
Posts: 2,239

Re: Creating a database

Oh, and one big downside of my approach: You still need a secure way of
exchanging the password hash.

Offline

#23 2010-08-17 07:48 PM

RobSeace
Administrator
From: Boston, MA
Registered: 2002-06-12
Posts: 3,847
Website

Re: Creating a database

Offline

#24 2010-08-17 07:56 PM

i3839
Oddministrator
From: Amsterdam
Registered: 2003-06-07
Posts: 2,239

Re: Creating a database

Sending the plain text password should never be done, just send the hash.
It's only one extra hash on the client side, nothing needs to change on the
server side.

But yeah, once you need SSL, you can as well do the RSA thing both ways.

Offline

#25 2010-08-18 01:40 PM

RobSeace
Administrator
From: Boston, MA
Registered: 2002-06-12
Posts: 3,847
Website

Re: Creating a database

Offline

Board footer

Powered by FluxBB