2. Password encryption algorithm for database storage
The encryption method of SQL Server's password to database storage is also very surprising. The process is as follows:
After obtaining the password for the network decryption password, call SQLSORT_14 at 005F9D5A, and realize a conversion to uppercase password buffer for saving.
Then call a function at 004def6d to retrieve the encrypted PASSWORD in the database, which is in the form as follows:
2 bytes header 0x0100 (fixed)
4 bytes of HASH plus secret KEY
20 bytes HASH1
20 bytes HASH2
As an example I took out:
fx:0x0100 1751857F DFDEC4FB618D8D18EBA5A27F615639F607
CD46BE DFDEC4FB618D8D18EBA5A27F615639F607CD46BE
Fixed Supplement KEY HASH1 HASH2
Password is: 123456
SQL first uses 4 bytes of HASH and secret KEY to supplement the buffers of its two passwords, one in uppercase and the other in lowercase. Then its encryption process is as follows:
CryptAcquireContextW(&hProv,NULL,
L("Microsoft Base Cryptographic Provider v1.0"),1,0xf0000000);
CryptCreateHash(hProv,0x8004,NULL,NULL,&hhash);
CryptCreateHash(hProv,0x8004,NULL,NULL,&hHash);
005F9DFE:
CryptHashData(hhash,passwdbuf,0x12,NULL);
passwdbuf is a lowercase passwd buffer, and then a KEY is attached. As shown in the above example, it is correct.
{'1','2''3''4''5''6',0x17,0x51,0x85,0x7F}
Such a string is HASH encryption
CryptHashData(hHash,PASSWDBUF,0x12,NULL)
;PASSWDBUF is a capital passwd buffer, and then a KEY 005F9E3E is attached:
CryptGetHashParam(hhash,2,&passwdout,&outlen,0);
Take out the encrypted value of passwdbuf that is lowercase passwd
CryptGetHashParam(hHash,2,&PASSWDOUT,&OUTLEN,0);
Take out the encrypted value of passwdbuf that is capitalized by passwd. Adding these two things is the PASSWORD encryption field in the real database.
Why are the above methods fragile? In fact, its true encryption length is only 20 bytes.
The 40-bit HASH value of the HASH1 spliced in lowercase password + uppercase password is not as safe as a direct 20-bit HASH value. Because everyone knows the causal relationship between these two values,
Provide more information to the decryptor.
As the algorithm is the same, if HASH1=HASH2, it can be judged that the password must not use letters, and only passwords with numbers and symbols are used. For example, the HASH of the 123456 password retrieved above, the two HASHs are exactly equal.
It is because the letters are used, and the solution of the supplementary KEY, algorithm, and two encrypted strings should be greatly simplified.