Encrypt a plain-text password in actionscript with the wordpress hash

1
votes

I have a Flash/ActionScript login client that sends the password to the server. On the server, that password is checked a WordPress database. The passwords are encrypted with the WordPress encryption method.

I'm using smartfoxserver2x, which encrypts the password on the client side before it is sent to the the server to be checked against the database (WordPress-encrypted) password.

So here's the flow:

  1. on the client, plain text password gets encrypted by sfs2x and sent to the server
  2. on the server, sfs2x uses checkSecurePassword() to remove the sfs2x encryption and compare the plain-text password entered with the WordPress-encrypted password. They will obviously be different.

On the sfs2x forums, it was suggested that I encrypt the plain-text password with the WordPress hash before sfs2x encrypts it and sends it on the server. So I need to have 3 steps now:

  1. on the client, plain text password gets encrypted with wordpress hash
  2. on the client, that password gets encrypted by sfs2x
  3. on the server, sfs2x uses checkSecurePassword() which removes the sfs2x encryption.

How can I achieve the first step?

My client login is in ActionScript. I am able to grab the password plain-text in ActionScript, but I don't know how to apply that WordPress encryption method (php) in ActionScript.

1
wordpressencryptionactionscriptpasswordssmartfoxserver

1 Answers

1
votes

Would it not be more straight-forward to just store the sfs2x hash in the database, rather than the WordPress hash (albeit, I haven't worked with WordPress as of yet)?

Plus, if it initially hashes in sfs2x, what do you store in the database? The wp hash of the sfs2x hash? I ask mainly as from what I can find, both wp and sfs2x use non-recoverable encryption methods (MD5 for both?). That, and you say the two are different. If sfs2x is hashed by wp into the database, it's that hash that wp will recognise, not the plain-text.

PS: I'm pretty new to the encryption game, so from what I've said, the issue I can see is hashing by sfs2x when the user enters the password ends up being different to hash when the user first entered their password; albeit, I'm unsure if that would occur. Again, I'm new.