Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to decrypt magento enterprise edition password?

Tags:

magento

I just noticed magento enterprise and community both edition uses different algorithms for storing password. I know community edition uses md5. Can anyone tell me which mechanism is used in enterprise edition and how can we decrypt enterprise password if we want to migrate to community edition?

like image 691
Palanikumar Avatar asked Nov 30 '12 10:11

Palanikumar


2 Answers

Hashes are one way encryption. You're not supposed to be able to decrypt the password.

Basic operations for passwords:

  1. The customer signs up for an account and enters a password. The system adds a salt, encrypts the password and stores the resulting password hash in the database.

  2. The customer logs in, enters the password. The system adds a salt, encrypts the password and compares the generated password hash with the stored password hash. When the hashes are equal, the login system knows the customer knows the password without actually knowing the password itself.

So, if one system uses SHA1 and another uses old, expired MD5, the only way you can get the password back into the system is to have the customer reenter the password so the new hash algorithm gets invoked and the new hash gets stored.

You have the Enterprise source code, write a module that uses the Enterprise hashing function to store and compare the passwords and you'll have CE with an updated, security enhanced method to store passwords and should be able to bring the password hashes over from the old site.

Some additional information:

The encryption method used is found in the Mage_Core_Model_Encryption class.

Three functions of interest are:

  1. public function hash($data)
  2. public function getHash($password, $salt = false)
  3. public function validateHash($password, $hash)

Function Code From 1.7.x.x

>

public function hash($data)
{
    return md5($data);
}

>

public function getHash($password, $salt = false)
{
    if (is_integer($salt)) {
        $salt = $this->_helper->getRandomString($salt);
    }
    return $salt === false ? $this->hash($password) : $this->hash($salt . $password) . ':' . $salt;
}

>

public function validateHash($password, $hash)
{
    $hashArr = explode(':', $hash);
    switch (count($hashArr)) {
        case 1:
            return $this->hash($password) === $hash;
        case 2:
            return $this->hash($hashArr[1] . $password) === $hashArr[0];
    }
    Mage::throwException('Invalid hash.');
}

It appears that both CE and Enterprise use the same routines, you will have to check that out as you have the Enterprise code.

Changing the Encryption Key in your app/etc/local.xml file to match the key in your Enterprise version and then importing the Enterprise data into the CE datapbase will allow access to encrypted data. Passwords, though are stored as hashes (see above function blocks) and non-reversible due to that. The pertinent section in local.xml where the encryption key is stored:

<crypt>
    <key>< ![CDATA[-encryption-key-here-]]></key>
</crypt>
like image 175
Fiasco Labs Avatar answered Sep 19 '22 13:09

Fiasco Labs


I think it's on your app/etc/local.xml or app/etc/enterprise.xml on Magento EE

The Decrypt function On Magento Enterprise Edition

/**
 * Decrypt a string
 *
 * @param string $data
 * @return string
 */
public function decrypt($data)
{
    return str_replace("\x0", '', trim($this->_getCrypt()->decrypt(base64_decode((string)$data))));
}

and

/**
 * Instantiate crypt model
 *
 * @param string $key
 * @return Varien_Crypt_Mcrypt
 */
protected function _getCrypt($key = null)
{
    if (!$this->_crypt) {
        if (null === $key) {
            $key = (string)Mage::getConfig()->getNode('global/crypt/key');
        }
        $this->_crypt = Varien_Crypt::factory()->init($key);
    }
    return $this->_crypt;
}

it seems like the same function on Enterprise Edition or Community Edition. You should ask the cript key to Magento Enterprise Edition's Owner and decrypt it with CE. It would be fine because i'm sneaking to Magento Enterprise Edition's Code and the code is the same with Community Edition (for encryption/decryption)

added after comment 1:

/**
 * Hash a string
 *
 * @param string $data
 * @return string
 */
public function hash($data)
{
    return md5($data);
}

/**
 * Validate hash against hashing method (with or without salt)
 *
 * @param string $password
 * @param string $hash
 * @return bool
 * @throws Exception
 */
public function validateHash($password, $hash)
{
    $hashArr = explode(':', $hash);
    switch (count($hashArr)) {
        case 1:
            return $this->hash($password) === $hash;
        case 2:
            return $this->hash($hashArr[1] . $password) === $hashArr[0];
    }
    Mage::throwException('Invalid hash.');
}
like image 41
Josua Marcel C Avatar answered Sep 20 '22 13:09

Josua Marcel C