hosted by liquidweb


Go Back   Web Hosting Talk : Web Hosting Main Forums : Programming Discussion : Encryption
Reply

Forum Jump

Encryption

Reply Post New Thread In Programming Discussion Subscription
 
Send news tip View All Posts Thread Tools Search this Thread Display Modes
  #1  
Old 09-01-2004, 01:34 PM
okok okok is offline
Web Hosting Guru
 
Join Date: Jun 2002
Posts: 302

Encryption


I am looking for a way to decrypt information in a way that would make it retrievable only given a specific string key used to decrypt it. I want to incorporate this kind of encryption into a php application. Is there a simple way to do this?



Sponsored Links
  #2  
Old 09-01-2004, 01:36 PM
barrywien barrywien is offline
Aspiring Evangelist
 
Join Date: May 2002
Location: Durham - UK
Posts: 445
For a secure encryption this is not going to be possible, although it would be a very useful function if it was available.

__________________
Barry
UK Based Freelance PHP Developer
PHP/SQL/Ajax/HTML5 - Contact for Quote

  #3  
Old 09-01-2004, 05:04 PM
white_2kgt white_2kgt is offline
Junior Guru Wannabe
 
Join Date: Jul 2004
Posts: 76
what's wrong with using mcrypt?

http://us4.php.net/mcrypt

-c

Sponsored Links
  #4  
Old 09-01-2004, 05:13 PM
ezCore ezCore is offline
Junior Guru Wannabe
 
Join Date: Aug 2004
Location: Miami
Posts: 65
* mcrypt works fine for crypt/decrypt (Remember to check if hosting has the extension installed, doesn't install by default)
* mhash works fine for crypt/decrypt but it has the same problem that mcrypt does.
* pear has some good hash functions that allow you to encrypt/decrypt without the actual need of compiling php with it. - http://pear.php.net/packages.php?cat...ame=Encryption (There are several encryption levels like CBC, HMAC, RCA. The benefists is that it doesn't require php extensions, the drawbacks is that is a bit slower - althought for personal tests it's not very significant)

Another alternative is md5 (it actually doesn't descrypt it but rather compares it)

EG: You have some string encrypted with md5 - something like xx3fds34gfdgfdgd543dfsfsdfs and what you do is not decrypt it but actually compare the md5 of the string to the encrypted value rather than decrypting and it will return true or false if it's good or wrong. If what you are looking for is a login system, md5 is the way to go, that's what professional scripts do like vbulletin, etc... rather than decrypting it it will compare the md5's

  #5  
Old 09-01-2004, 06:48 PM
white_2kgt white_2kgt is offline
Junior Guru Wannabe
 
Join Date: Jul 2004
Posts: 76
Please don't confuse a cipher with a hash. A cipher will rely on a 'key' while a hash will rely on a seed. You can't get back what you hash, like ezCore said, you have to compare.

Also mhash is nothing like mcrypt, it is just what it says, a hash it does not encrypt/decrypt so i don't see how you can compare the two.

If you really want to encrypt/decrypt stuff stick with a real algorithm like 3DES or one of the 'fishes. If you want to hash, MD5 is a great choice. If you post up your requirements for security/speed/ease of use I can assist you in choosing an algorighm.

-c

  #6  
Old 09-01-2004, 08:05 PM
Tee Tee is offline
Web Hosting Master
 
Join Date: Jun 2002
Location: San Diego, California
Posts: 788
You can *very* easily get back a hash, you just have to know how to do it.

  #7  
Old 09-01-2004, 09:09 PM
innova innova is offline
Web Hosting Master
 
Join Date: Dec 2002
Posts: 1,300
Ok then, tough guy.

My root password md5hash is:

3b7188536f24d6807242f12e0b18f9c8

Figure it out, and I will tell you the IP of the machine. I also have a personal message in there for you should you find it.

BTW this is my 666th post... eeeeee!

__________________
"The only difference between a poor person and a rich person is what they do in their spare time."
"If youth is wasted on the young, then retirement is wasted on the old"

  #8  
Old 09-01-2004, 09:51 PM
f0urtyfive f0urtyfive is offline
Aspiring Evangelist
 
Join Date: Dec 2002
Posts: 376
Quote:
Originally posted by Tee
You can *very* easily get back a hash, you just have to know how to do it.
You cant "get back" a hash big hacker man, as they stated above, you have to compare.

You cant go a -> skljl34jlja3ljj3a -> a
you have to go.

if(md5(1) = skljl34jlja3ljj3a)( YAY!)
if(md5(2) = skljl34jlja3ljj3a)( YAY!)
if(md5(3) = skljl34jlja3ljj3a)( YAY!)
if(md5(4) = skljl34jlja3ljj3a)( YAY!)

and so on through the whole alphabet.

You cant just decode hashes you have to break them.

  #9  
Old 09-01-2004, 10:07 PM
innova innova is offline
Web Hosting Master
 
Join Date: Dec 2002
Posts: 1,300
So to sum up what he said, basically a bruteforce attack.

Why not just bruteforce the password itself, not its hash?

This shows the useful nature and security of hashing.

__________________
"The only difference between a poor person and a rich person is what they do in their spare time."
"If youth is wasted on the young, then retirement is wasted on the old"

  #10  
Old 09-02-2004, 02:51 AM
BluParadox BluParadox is offline
Junior Guru Wannabe
 
Join Date: Feb 2003
Location: Seattle, WA
Posts: 32
There have been programs created which "decrypt" md5 hashes in about 40 minutes, however the data files they use are approx 45gb last time I checked, and are not available to the public (although you can submit an md5 to be decrypted).

Notice I put "decrypt" in quotes, because that's not really what it's doing. Any number of different things can evaluate to the same md5 hash. What the program really does is find a string that, when md5 encoded, will evaluate to that hash. The easy solution to this problem is to include a salt, which makes the whole process much more difficult to break. So basically, instead of:
PHP Code:
$password "blah";
$hash md5($password);
if (
$md5($password) == $hash)
{
    echo 
"yay!";

you get:
PHP Code:
$password "blah";
$salt "decodethis!"
$hash md5($password.$salt);
if (
$md5($password.$salt) == $hash)
{
    echo 
"yay!";


BTW the md5 thing was slashdotted, you can find more info at this page

__________________
Adam Pflug: blog
Aesthetic Studios

  #11  
Old 09-02-2004, 02:52 AM
okok okok is offline
Web Hosting Guru
 
Join Date: Jun 2002
Posts: 302
Quote:
Originally posted by white_2kgt
...If you really want to encrypt/decrypt stuff stick with a real algorithm like 3DES or one of the 'fishes. If you want to hash, MD5 is a great choice. If you post up your requirements for security/speed/ease of use I can assist you in choosing an algorighm.

-c
Thank you white_2kgt and ezCore.

What I am looking for is not something like MD5 but a way to store information securely so that even if someone breaks into my database they won't be able to read what they find (or at least won't be able to do so easily). The idea is to allow users store personal information only they can access with a secret key that would make the information available to them only.

The encryption should to be reasonably hard to break, but since users are not supposed to store sensitive information such as credit card numebrs, ease of use and speed are more important than total security. I don't think anybody will ever bother to try to break into my database -- I just want to make users feel they don't have to worry too much about storing information on the system.

  #12  
Old 09-02-2004, 03:28 AM
Tee Tee is offline
Web Hosting Master
 
Join Date: Jun 2002
Location: San Diego, California
Posts: 788
http://eprint.iacr.org/2004/199.pdf *cough* ahem, oh btw innova ill be pming you shortly.

  #13  
Old 09-02-2004, 12:48 PM
f0urtyfive f0urtyfive is offline
Aspiring Evangelist
 
Join Date: Dec 2002
Posts: 376
Quote:
Originally posted by BluParadox
There have been programs created which "decrypt" md5 hashes in about 40 minutes, however the data files they use are approx 45gb last time I checked, and are not available to the public (although you can submit an md5 to be decrypted).

Notice I put "decrypt" in quotes, because that's not really what it's doing. Any number of different things can evaluate to the same md5 hash. What the program really does is find a string that, when md5 encoded, will evaluate to that hash. The easy solution to this problem is to include a salt, which makes the whole process much more difficult to break. So basically, instead of:
BTW the md5 thing was slashdotted, you can find more info at this page
That program is just a brute force attack that is stored into a database. Since you can go through the database faster then you could generate the hashes, it is slightly faster then just a normal brute force, but it wont break every hash (well it would, but it would take petabytes and thousands of years with current processing strength). It still wont break a strong password.

  #14  
Old 09-02-2004, 02:58 PM
ezCore ezCore is offline
Junior Guru Wannabe
 
Join Date: Aug 2004
Location: Miami
Posts: 65
Go for a encrypt/decrypt function available at php's pear and you will be fine. Ignore all the rest

  #15  
Old 09-02-2004, 03:07 PM
BluParadox BluParadox is offline
Junior Guru Wannabe
 
Join Date: Feb 2003
Location: Seattle, WA
Posts: 32
Quote:
Originally posted by f0urtyfive
That program is just a brute force attack that is stored into a database. Since you can go through the database faster then you could generate the hashes, it is slightly faster then just a normal brute force, but it wont break every hash (well it would, but it would take petabytes and thousands of years with current processing strength). It still wont break a strong password.
I know it's just a brute force attack, but I thought I'd mention that methods exist that are fast enough to be plausable for cracking simple passwords.

__________________
Adam Pflug: blog
Aesthetic Studios

Reply

Related posts from TheWhir.com
Title Type Date Posted
Box Nears Release of Customer-Held Encryption Key Product Web Hosting News 2014-04-02 13:14:44
Snowden's Email Provider Refused to Hand Over Encryption, SSL Keys to FBI Web Hosting News 2013-10-03 09:11:12
Documents Show NSA Invested Billions to Break Encryption Blog 2013-09-09 15:27:00
Cloud Encryption Firm SafeNet Names President and CEO Web Hosting News 2012-12-10 16:18:33
Security Firm nCircle Finds 24 Percent of SMB Networks have Weak SSL Encryption Web Hosting News 2012-06-22 13:37:00


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Postbit Selector

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump
Login:
Log in with your username and password
Username:
Password:



Forgot Password?
Advertisement:
Web Hosting News:



 

X

Welcome to WebHostingTalk.com

Create your username to jump into the discussion!

WebHostingTalk.com is the largest, most influentual web hosting community on the Internet. Join us by filling in the form below.


(4 digit year)

Already a member?