Results 1 to 5 of 5
  1. #1
    Join Date
    Feb 2004
    Location
    Toronto, ON, Canada
    Posts
    1,443

    php crypt() issue and limitations?

    I'm using the crypt() with salt to encode some string.

    Here are my codes.

    Script 1
    Code:
    <?php
    $salt = "asd3ASDddsad";
    $hash = crypt('Subscription Mod PRO V1', $salt);
    echo $hash;
    
    $hash = crypt('Subscription Mod V1', $salt);
    echo $hash;
    ?>
    Output: asxJ139jmpMHA
    asxJ139jmpMHA



    Script 2
    Code:
    <?php
    $salt = "asd3ASDddsad";
    $hash = crypt('SubscriptionModPROV1', $salt);
    echo $hash;
    
    $hash = crypt('SubscriptionModV1', $salt);
    echo $hash;
    ?>
    Output: asxJ139jmpMHA
    asxJ139jmpMHA

    Script 3
    Code:
    <?php
    $salt = "asd3ASDddsad";
    $hash = crypt('Mod PRO V1', $salt);
    echo $hash;
    
    $hash = crypt('Mod V1', $salt);
    echo $hash;
    ?>
    Output: asXGO7q4x7rG.
    asCDy3vzgrgFY

    Script 4
    Code:
    <?php
    $salt = "asd3ASDddsad";
    $hash = crypt('ModPROV1', $salt);
    echo $hash;
    
    $hash = crypt('ModV1', $salt);
    echo $hash;
    ?>
    Output: asV8OnjuWdApc
    asTZsH0eavwTI



    As you can see the string to be encoded is different in script 1 and 2, but the output is still the same

    And with script 3 and 4, both outputs are different.

    So is there a maximum string limit when using crypt ? Any opinion on this ?


    Edit: The standard DES-based encryption crypt() returns the salt as the first two characters of the output. It also only uses the first eight characters of str , so longer strings that start with the same eight characters will generate the same result (when the same salt is used).
    Last edited by lonea; 07-26-2009 at 04:24 AM.
    VimHost█ Providing Web Hosting since 2003: 13 Years of Dedication to our customers ~ Premium Hosting in Canada
    Email Hosting | RTMP Hosting | FFMPEG Hosting

  2. #2
    Join Date
    Feb 2004
    Location
    Toronto, ON, Canada
    Posts
    1,443
    Now that I figured out the limitation, anybody could suggest other ways that I could do a two-pass encryption system with a salted string?

    Before I was doing crypt(input) -> md5(salted input)
    Last edited by lonea; 07-26-2009 at 04:33 AM.
    VimHost█ Providing Web Hosting since 2003: 13 Years of Dedication to our customers ~ Premium Hosting in Canada
    Email Hosting | RTMP Hosting | FFMPEG Hosting

  3. #3
    You could consider using the hash function, which could be more secure them MD5, depending on the algorithm you use.

    http://php.net/manual/en/function.hash.php

  4. #4
    This of cause wouldn't be an issue when using salt, since its included "somewhere" in the hash, and hence it makes it impossible to guess where, unless you have the source code.

    I would simply use md5, and then create my own function to store the salt. It doesn't matter that the string gets longer then normally, because potential attackers wouldn't know where in the string the hash is located.

  5. #5
    Join Date
    Oct 2005
    Location
    UK
    Posts
    552
    With the crypt() function, the salt defines the type of encryption to use when hashing your password. Your salt does not match any of the four applicable salt formats (see http://php.net/crypt see the "Description" section for the four salt formats) and so is reverting to the default CRYPT_STD_DES type format (which only uses the first two characters of your salt) - and which only takes the first eight characters of your string so will produce the same output when using the same salt, as you said.

    Use another salt format if you still want to use crypt; if you want to use another salt format, use a nine character salt for the EXT DES type, a prefix of $1$ for MD5 or $2$ for blowfish.

    Alternatively, use another hashing method such as hash() if your PHP version allows it.

Similar Threads

  1. Can't locate Crypt/CipherSaber.pm
    By hossamhamdi1986 in forum Hosting Security and Technology
    Replies: 3
    Last Post: 05-13-2009, 05:15 PM
  2. Using crypt function in c++ on linux
    By nmluan in forum Hosting Security and Technology
    Replies: 1
    Last Post: 04-23-2008, 04:46 PM
  3. Installation of Crypt::SSleary using Windows Perl PPM
    By boonchuan in forum Hosting Security and Technology
    Replies: 2
    Last Post: 12-10-2006, 08:51 AM
  4. Crypt::SSLeay ans MOD SSL?
    By bib in forum Hosting Security and Technology
    Replies: 0
    Last Post: 07-18-2002, 03:02 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •