Page 1 of 2 12 LastLast
Results 1 to 15 of 27

Thread: Encryption

  1. #1
    Join Date
    Jun 2002
    Posts
    302

    Encryption

    I am looking for a way to decrypt information in a way that would make it retrievable only given a specific string key used to decrypt it. I want to incorporate this kind of encryption into a php application. Is there a simple way to do this?

  2. #2
    Join Date
    May 2002
    Location
    Durham - UK
    Posts
    445
    For a secure encryption this is not going to be possible, although it would be a very useful function if it was available.
    Barry
    UK Based Freelance PHP Developer
    PHP/SQL/Ajax/HTML5 - Contact for Quote

  3. #3
    what's wrong with using mcrypt?

    http://us4.php.net/mcrypt

    -c

  4. #4
    Join Date
    Aug 2004
    Location
    Miami
    Posts
    65
    * mcrypt works fine for crypt/decrypt (Remember to check if hosting has the extension installed, doesn't install by default)
    * mhash works fine for crypt/decrypt but it has the same problem that mcrypt does.
    * pear has some good hash functions that allow you to encrypt/decrypt without the actual need of compiling php with it. - http://pear.php.net/packages.php?cat...ame=Encryption (There are several encryption levels like CBC, HMAC, RCA. The benefists is that it doesn't require php extensions, the drawbacks is that is a bit slower - althought for personal tests it's not very significant)

    Another alternative is md5 (it actually doesn't descrypt it but rather compares it)

    EG: You have some string encrypted with md5 - something like xx3fds34gfdgfdgd543dfsfsdfs and what you do is not decrypt it but actually compare the md5 of the string to the encrypted value rather than decrypting and it will return true or false if it's good or wrong. If what you are looking for is a login system, md5 is the way to go, that's what professional scripts do like vbulletin, etc... rather than decrypting it it will compare the md5's

  5. #5
    Please don't confuse a cipher with a hash. A cipher will rely on a 'key' while a hash will rely on a seed. You can't get back what you hash, like ezCore said, you have to compare.

    Also mhash is nothing like mcrypt, it is just what it says, a hash it does not encrypt/decrypt so i don't see how you can compare the two.

    If you really want to encrypt/decrypt stuff stick with a real algorithm like 3DES or one of the 'fishes. If you want to hash, MD5 is a great choice. If you post up your requirements for security/speed/ease of use I can assist you in choosing an algorighm.

    -c

  6. #6
    Join Date
    Jun 2002
    Location
    San Diego, California
    Posts
    788
    You can *very* easily get back a hash, you just have to know how to do it.

  7. #7
    Ok then, tough guy.

    My root password md5hash is:

    3b7188536f24d6807242f12e0b18f9c8

    Figure it out, and I will tell you the IP of the machine. I also have a personal message in there for you should you find it.

    BTW this is my 666th post... eeeeee!
    "The only difference between a poor person and a rich person is what they do in their spare time."
    "If youth is wasted on the young, then retirement is wasted on the old"

  8. #8
    Originally posted by Tee
    You can *very* easily get back a hash, you just have to know how to do it.
    You cant "get back" a hash big hacker man, as they stated above, you have to compare.

    You cant go a -> skljl34jlja3ljj3a -> a
    you have to go.

    if(md5(1) = skljl34jlja3ljj3a)( YAY!)
    if(md5(2) = skljl34jlja3ljj3a)( YAY!)
    if(md5(3) = skljl34jlja3ljj3a)( YAY!)
    if(md5(4) = skljl34jlja3ljj3a)( YAY!)

    and so on through the whole alphabet.

    You cant just decode hashes you have to break them.

  9. #9
    So to sum up what he said, basically a bruteforce attack.

    Why not just bruteforce the password itself, not its hash?

    This shows the useful nature and security of hashing.
    "The only difference between a poor person and a rich person is what they do in their spare time."
    "If youth is wasted on the young, then retirement is wasted on the old"

  10. #10
    Join Date
    Feb 2003
    Location
    Seattle, WA
    Posts
    32
    There have been programs created which "decrypt" md5 hashes in about 40 minutes, however the data files they use are approx 45gb last time I checked, and are not available to the public (although you can submit an md5 to be decrypted).

    Notice I put "decrypt" in quotes, because that's not really what it's doing. Any number of different things can evaluate to the same md5 hash. What the program really does is find a string that, when md5 encoded, will evaluate to that hash. The easy solution to this problem is to include a salt, which makes the whole process much more difficult to break. So basically, instead of:
    PHP Code:
    $password "blah";
    $hash md5($password);
    if (
    $md5($password) == $hash)
    {
        echo 
    "yay!";

    you get:
    PHP Code:
    $password "blah";
    $salt "decodethis!"
    $hash md5($password.$salt);
    if (
    $md5($password.$salt) == $hash)
    {
        echo 
    "yay!";


    BTW the md5 thing was slashdotted, you can find more info at this page

  11. #11
    Join Date
    Jun 2002
    Posts
    302
    Originally posted by white_2kgt
    ...If you really want to encrypt/decrypt stuff stick with a real algorithm like 3DES or one of the 'fishes. If you want to hash, MD5 is a great choice. If you post up your requirements for security/speed/ease of use I can assist you in choosing an algorighm.

    -c
    Thank you white_2kgt and ezCore.

    What I am looking for is not something like MD5 but a way to store information securely so that even if someone breaks into my database they won't be able to read what they find (or at least won't be able to do so easily). The idea is to allow users store personal information only they can access with a secret key that would make the information available to them only.

    The encryption should to be reasonably hard to break, but since users are not supposed to store sensitive information such as credit card numebrs, ease of use and speed are more important than total security. I don't think anybody will ever bother to try to break into my database -- I just want to make users feel they don't have to worry too much about storing information on the system.

  12. #12
    Join Date
    Jun 2002
    Location
    San Diego, California
    Posts
    788
    http://eprint.iacr.org/2004/199.pdf *cough* ahem, oh btw innova ill be pming you shortly.

  13. #13
    Originally posted by BluParadox
    There have been programs created which "decrypt" md5 hashes in about 40 minutes, however the data files they use are approx 45gb last time I checked, and are not available to the public (although you can submit an md5 to be decrypted).

    Notice I put "decrypt" in quotes, because that's not really what it's doing. Any number of different things can evaluate to the same md5 hash. What the program really does is find a string that, when md5 encoded, will evaluate to that hash. The easy solution to this problem is to include a salt, which makes the whole process much more difficult to break. So basically, instead of:
    BTW the md5 thing was slashdotted, you can find more info at this page
    That program is just a brute force attack that is stored into a database. Since you can go through the database faster then you could generate the hashes, it is slightly faster then just a normal brute force, but it wont break every hash (well it would, but it would take petabytes and thousands of years with current processing strength). It still wont break a strong password.

  14. #14
    Join Date
    Aug 2004
    Location
    Miami
    Posts
    65
    Go for a encrypt/decrypt function available at php's pear and you will be fine. Ignore all the rest

  15. #15
    Join Date
    Feb 2003
    Location
    Seattle, WA
    Posts
    32
    Originally posted by f0urtyfive
    That program is just a brute force attack that is stored into a database. Since you can go through the database faster then you could generate the hashes, it is slightly faster then just a normal brute force, but it wont break every hash (well it would, but it would take petabytes and thousands of years with current processing strength). It still wont break a strong password.
    I know it's just a brute force attack, but I thought I'd mention that methods exist that are fast enough to be plausable for cracking simple passwords.

Page 1 of 2 12 LastLast

Related Posts from theWHIR.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •