Web Hosting Talk : Web Hosting Main Forums : Programming Discussion : Encryption

[okok]

I am looking for a way to decrypt information in a way that would make it retrievable only given a specific string key used to decrypt it. I want to incorporate this kind of encryption into a php application. Is there a simple way to do this?

[barrywien]

For a secure encryption this is not going to be possible, although it would be a very useful function if it was available.

[white_2kgt]

what's wrong with using mcrypt?

http://us4.php.net/mcrypt

-c

[ezCore]

* mcrypt works fine for crypt/decrypt (Remember to check if hosting has the extension installed, doesn't install by default)
* mhash works fine for crypt/decrypt but it has the same problem that mcrypt does.
* pear has some good hash functions that allow you to encrypt/decrypt without the actual need of compiling php with it. - http://pear.php.net/packages.php?cat...ame=Encryption (There are several encryption levels like CBC, HMAC, RCA. The benefists is that it doesn't require php extensions, the drawbacks is that is a bit slower - althought for personal tests it's not very significant)

Another alternative is md5 (it actually doesn't descrypt it but rather compares it)

EG: You have some string encrypted with md5 - something like xx3fds34gfdgfdgd543dfsfsdfs and what you do is not decrypt it but actually compare the md5 of the string to the encrypted value rather than decrypting and it will return true or false if it's good or wrong. If what you are looking for is a login system, md5 is the way to go, that's what professional scripts do like vbulletin, etc... rather than decrypting it it will compare the md5's

[white_2kgt]

Please don't confuse a cipher with a hash. A cipher will rely on a 'key' while a hash will rely on a seed. You can't get back what you hash, like ezCore said, you have to compare.

Also mhash is nothing like mcrypt, it is just what it says, a hash it does not encrypt/decrypt so i don't see how you can compare the two.

If you really want to encrypt/decrypt stuff stick with a real algorithm like 3DES or one of the 'fishes. If you want to hash, MD5 is a great choice. If you post up your requirements for security/speed/ease of use I can assist you in choosing an algorighm.

-c

[Tee]

You can *very* easily get back a hash, you just have to know how to do it.

[innova]

Ok then, tough guy.

My root password md5hash is:

3b7188536f24d6807242f12e0b18f9c8

Figure it out, and I will tell you the IP of the machine. I also have a personal message in there for you should you find it.

BTW this is my 666th post... eeeeee!

[f0urtyfive]

Quote:

Originally posted by Tee
You can *very* easily get back a hash, you just have to know how to do it.

You cant "get back" a hash big hacker man, as they stated above, you have to compare.

You cant go a -> skljl34jlja3ljj3a -> a
you have to go.

if(md5(1) = skljl34jlja3ljj3a)( YAY!)
if(md5(2) = skljl34jlja3ljj3a)( YAY!)
if(md5(3) = skljl34jlja3ljj3a)( YAY!)
if(md5(4) = skljl34jlja3ljj3a)( YAY!)

and so on through the whole alphabet.

You cant just decode hashes you have to break them.

[innova]

So to sum up what he said, basically a bruteforce attack.

Why not just bruteforce the password itself, not its hash?

This shows the useful nature and security of hashing.

[BluParadox]

There have been programs created which "decrypt" md5 hashes in about 40 minutes, however the data files they use are approx 45gb last time I checked, and are not available to the public (although you can submit an md5 to be decrypted).

Notice I put "decrypt" in quotes, because that's not really what it's doing. Any number of different things can evaluate to the same md5 hash. What the program really does is find a string that, when md5 encoded, will evaluate to that hash. The easy solution to this problem is to include a salt, which makes the whole process much more difficult to break. So basically, instead of:

PHP Code:

$password = "blah";
$hash = md5($password);
if ($md5($password) == $hash)
{
    echo "yay!";
} 


you get:

PHP Code:

$password = "blah";
$salt = "decodethis!"
$hash = md5($password.$salt);
if ($md5($password.$salt) == $hash)
{
    echo "yay!";
} 


BTW the md5 thing was slashdotted, you can find more info at this page

[okok]

Quote:

Originally posted by white_2kgt
...If you really want to encrypt/decrypt stuff stick with a real algorithm like 3DES or one of the 'fishes. If you want to hash, MD5 is a great choice. If you post up your requirements for security/speed/ease of use I can assist you in choosing an algorighm.

-c

Thank you white_2kgt and ezCore.

What I am looking for is not something like MD5 but a way to store information securely so that even if someone breaks into my database they won't be able to read what they find (or at least won't be able to do so easily). The idea is to allow users store personal information only they can access with a secret key that would make the information available to them only.

The encryption should to be reasonably hard to break, but since users are not supposed to store sensitive information such as credit card numebrs, ease of use and speed are more important than total security. I don't think anybody will ever bother to try to break into my database -- I just want to make users feel they don't have to worry too much about storing information on the system.

[Tee]

http://eprint.iacr.org/2004/199.pdf *cough* ahem, oh btw innova ill be pming you shortly.

[f0urtyfive]

Quote:

Originally posted by BluParadox
There have been programs created which "decrypt" md5 hashes in about 40 minutes, however the data files they use are approx 45gb last time I checked, and are not available to the public (although you can submit an md5 to be decrypted).

Notice I put "decrypt" in quotes, because that's not really what it's doing. Any number of different things can evaluate to the same md5 hash. What the program really does is find a string that, when md5 encoded, will evaluate to that hash. The easy solution to this problem is to include a salt, which makes the whole process much more difficult to break. So basically, instead of:
BTW the md5 thing was slashdotted, you can find more info at this page

That program is just a brute force attack that is stored into a database. Since you can go through the database faster then you could generate the hashes, it is slightly faster then just a normal brute force, but it wont break every hash (well it would, but it would take petabytes and thousands of years with current processing strength). It still wont break a strong password.

[ezCore]

Go for a encrypt/decrypt function available at php's pear and you will be fine. Ignore all the rest

[BluParadox]

Quote:

Originally posted by f0urtyfive
That program is just a brute force attack that is stored into a database. Since you can go through the database faster then you could generate the hashes, it is slightly faster then just a normal brute force, but it wont break every hash (well it would, but it would take petabytes and thousands of years with current processing strength). It still wont break a strong password.

I know it's just a brute force attack, but I thought I'd mention that methods exist that are fast enough to be plausable for cracking simple passwords.