External DB authentication fails with encrypted passwords

External DB authentication fails with encrypted passwords

by Rajisha Raj -
Number of replies: 2

I would like to authenticate my  users from an external .NET web application. Have successfully configured external DB authentication and Moodle is able to talk to the MS SQL server. But am unable to login to Moodle using the the external DB authentication credentials since the password stored in the SQL table are encrypted  by the web application. The encryption method used is given below. What should I do to make the external DB authentication to work?

here is Encryption/decryption method used:

public class clsSecurity

    {

        private static int encryptionKey1 = 0x56;

        private static int encryptionKey2 = 0x4b;

        public static string Decrypt(string textToEncrypt)

        {

            StringBuilder builder = new StringBuilder(textToEncrypt);

            StringBuilder builder2 = new StringBuilder(textToEncrypt.Length);

            for (int i = 0; i < textToEncrypt.Length; i++)

            {

                char ch = (char) (((ushort) (builder[i] ^ encryptionKey2)) ^ encryptionKey1);

                builder2.Append(ch);

            }

            return builder2.ToString();

        }


        public static string Encrypt(string textToEncrypt)

        {

            StringBuilder builder = new StringBuilder(textToEncrypt);

            StringBuilder builder2 = new StringBuilder(textToEncrypt.Length);

            for (int i = 0; i < textToEncrypt.Length; i++)

            {

                char ch = (char) (((ushort) (builder[i] ^ encryptionKey1)) ^ encryptionKey2);

                builder2.Append(ch);

            }

            return builder2.ToString();

        }

    }

Average of ratings: -
In reply to Rajisha Raj

Re: External DB authentication fails with encrypted passwords

by Leon Stringer -
Picture of Core developers Picture of Particularly helpful Moodlers

Moodle's external database authentication plugin (auth_db) has support for some common hashing algorithms. If you want to use a different algorithm you'll need to implement that in PHP or implement a PHP wrapper, then modify Moodle's source code to call this.

This reply discusses adding a password format to auth_db. In your case you would call a function for your PHP implementation to verify the password using your algorithm.

Modifying core code can get in the way of installing updates and accessing support so you should be aware of that risk.

In the code excerpt it looks like you're using your own encryption algorithm, and this is a two-way algorithm: passwords can be decrypted. I think this is a bad idea, instead you should use an established library to create the password hash and use a one-way algorithm so that passwords cannot be decrypted.

Average of ratings: Useful (1)
In reply to Leon Stringer

Re: External DB authentication fails with encrypted passwords

by Rajisha Raj -
Thank you so much for your valuable feedback. Will ask our developer to change the encryption format.
Average of ratings: -