Hash algorithm for storing password in internal DB

I want to save the password for configuration setting (e.g. new SMTP profile). If I write insert plain text for password column in SMTPSETTINGS table of internal database I get no error but going back to Email Settings option on gateway webpage shows Internal Error.
image

Skipping password column in insert query does create a new SMTP profile. So I think I need to encrypt the plain text before inserting the value.

I tried SHA1 algorithm to encrypt the password (‘password’) and inserted in internal DB table. It gets inserted as below but I get Internal Error

import base64
import hashlib

hash = base64.b64encode(hashlib.sha1('password').digest())

query = '''INSERT INTO SMTPSETTINGS (SMTPSETTINGS_ID, NAME, DESCRIPTION, HOSTNAME, PORT, USESSLPORT, SSLENABLED, USERNAME, PASSWORD, SMTPTIMEOUT, DEBUGMODEENABLED, SSLPROTOCOLS)
		   VALUES(3, 'SMTP6', '', '192.168.1.3', 25, True, True, 'user', ?, 10000, FALSE, 'TLSv1.2')'''
system.db.runPrepUpdate(query, [hash], 'InternalDB')

In above table both SMTP5 and SMTP6 have same password ‘password’, so SHA1 is not the correct encryption. MD5 encryption returns ‘X03MO1qnZdYdgyfeuILPmQ==’ for ‘password’ and give the same Internal Error on adding to database.

Is there any way to find which encryption algorithm is used?

These passwords aren’t hashed, they are obfuscated via symmetric encryption using a “hidden” key and then encoded in hex.

You can import com.inductiveautomation.ignition.common.GatewaySec and use the encrypt/decrypt methods instead of trying to do it yourself.

https://files.inductiveautomation.com/sdk/javadoc/ignition81/8.1.11/com/inductiveautomation/ignition/common/GatewaySec.html

2 Likes

@Kevin.Herron Thanks for your prompt reply. It resolved the issue.

Is this the same for a DB user source in auto mode? What I am trying to do is to reuse tha same users and password table to login into a .NET app. is it posible? or do I have to change the DB user source to manual mode?

I am working with a SQLSERVER 2012 as database

Regards

The reversible encryption is for use where Ignition must present the password to an external service via that service’s API. Even when the plaintext doesn’t cross the wires, it is usually required in a challenge-response exchange.

For user sources, Ignition is the “receiving” API and can therefore save user passwords as salted hashes. So, no.

Thank you Mr Turmel. It is clear now.
I must say that all your aswer are always enlightening.

1 Like