i need to create a custom encrypt and decrypt function

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

i need to create a custom encrypt and decrypt function

Post by s.dot »

I have a central site that will post login authorization to several sites. The remote sites will check that the supplied username and password are correct.

The problem is sending the password in plain text to the remote sites. The other problem is the remote sites will have their passwords stored in different formats (plain text, md5, sha, etc).

So, I need to send the password encrypted and provide a function in the remote script to decrypt the password into plain text so the remote script can then hash it appropriately to match the format it is stored in in the remote database.

Not all servers will have mcrypt extension enabled, so that is ruled out.

The only solution I can think of is creating a custom encrypt and decrypt function. Is this correct?

The solution does not need to be super strong, but strong enough that it is not very easily reversible (like base64 encode/decode).

Here's my crappy start that is laughworthy:

Code: Select all

function encrypt($pw, $key)
{
	$strlen = strlen($pw);
	$padded = str_pad($pw, 255, 'x', STR_PAD_RIGHT);
	
	$i = 0;
	$j = 0;
	$out = '';
	foreach ((array) $key AS $keychar)
	{
		foreach ((array) $padded AS $paddedchar)
		{
			echo $keychar;
			echo $paddedchar;
			exit;
			if (($paddedchar[$j] % 5) == 0)
			{
				$out .= $keychar[$i] . $paddedchar[$j];
			} else
			{
				$out .= $paddedchar[$j];
			}
			
			$j++;
		}
		
		$i++;
	}
	
	echo $out;
}
Shared key is preferred and I don't mind the shared key being in the remote script. Again, the *only* goal is to prevent the password from being transmitted in plain text or easily reversible.
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
User avatar
Apollo
Forum Regular
Posts: 794
Joined: Wed Apr 30, 2008 2:34 am

Re: i need to create a custom encrypt and decrypt function

Post by Apollo »

User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Re: i need to create a custom encrypt and decrypt function

Post by s.dot »

I am sticking to core php functions or a custom function since I will not have the ability to enable extensions on the remote servers.
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
dejvos
Forum Contributor
Posts: 122
Joined: Tue Mar 10, 2009 8:40 am

Re: i need to create a custom encrypt and decrypt function

Post by dejvos »

So, may be you can try some PEAR package.
User avatar
flying_circus
Forum Regular
Posts: 732
Joined: Wed Mar 05, 2008 10:23 pm
Location: Sunriver, OR

Re: i need to create a custom encrypt and decrypt function

Post by flying_circus »

s.dot wrote:The problem is sending the password in plain text to the remote sites.
SSL is not an option?
User avatar
requinix
Spammer :|
Posts: 6617
Joined: Wed Oct 15, 2008 2:35 am
Location: WA, USA

Re: i need to create a custom encrypt and decrypt function

Post by requinix »

I advise against creating your own encryption/decryption scheme. No offense, but I don't think you can come up with a good, secure system. (I probably couldn't either.)

+1 to using SSL.
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Re: i need to create a custom encrypt and decrypt function

Post by s.dot »

Hmm, noted.
As it is now, the passwords are sent in plain text via POST to the remote servers.

If I have SSL, will the remote servers need to be ssl-enabled?
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
User avatar
Apollo
Forum Regular
Posts: 794
Joined: Wed Apr 30, 2008 2:34 am

Re: i need to create a custom encrypt and decrypt function

Post by Apollo »

If you google around for e.g. rijndael encryption in javascript, you'll find open source implementations which you can easily convert to PHP.
Perhaps there are open source PHP implementations available too, but I guess they're less common since most people typically use the default mcrypt functions.
s.dot wrote:If I have SSL, will the remote servers need to be ssl-enabled?
Yes, although in this case you could probably do with a self-signed certificate.
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Re: i need to create a custom encrypt and decrypt function

Post by s.dot »

OK, so I can't go SSL, since I down own or control the remote servers, and for this reason mcrypt will not always be available. And the general consensus seems to be that a custom encrypt/decrypt function would not be much better than plain text.

Hmm what to do what to do.
Are there php implementationa of mcrypt (such as a class or function) that would be available to hardcode into the remote script?
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
User avatar
flying_circus
Forum Regular
Posts: 732
Joined: Wed Mar 05, 2008 10:23 pm
Location: Sunriver, OR

Re: i need to create a custom encrypt and decrypt function

Post by flying_circus »

If the remote servers are accepting a username / password pair without SSL, I'd question the security of the remote server. But, I suppose that depends on what kind of information the remote servers are protecting. This forum, for example, does not use SSL, so when we log in, our credentials are sent in plain text.

Figure out how the remote servers accept login credentials. There is no point for you to encrypt them up to the point of the final hop, and then send them plain text.
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Re: i need to create a custom encrypt and decrypt function

Post by s.dot »

The remote servers are accepting the login credentials via a php script, with POST data being sent to it. This script simply sends back a 'VALID' or 'INVALID' response for the login credentials supplied.

I don't care about the security of the remote systems (not my problem), however, I do not want to send the passwords to them in plain text. It's not really that big of an issue since the passwords are mostly being stored in plain text on the remote servers, but I don't want someone pointing to me saying I leaked their password info by sending it in plain text.

This is where I think a custom (or php-alized) encrypt/decrypt solution would be best. So then I can send an encrypted version of the password, and have the remote php script decrypt it and then apply the appropriate hashing algorithm to match their set up and return a valid or invalid response.

I should note that this is not a very highly sensitive login we're talking about here. No data is being protected that is private or secret-worthy. However, I understand that many people use the same password for multiple sites, so I want to be a little bit more secure on my end.
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
Li0rE
Forum Commoner
Posts: 41
Joined: Wed Jun 07, 2006 6:26 am

Re: i need to create a custom encrypt and decrypt function

Post by Li0rE »

I think this is what you're looking for:

Code: Select all

<?php
// String EnCrypt + DeCrypt function
// Author: halojoy, July 2006
function convert($str,$ky=''){
if($ky=='')return $str;
$ky=str_replace(chr(32),'',$ky);
if(strlen($ky)<8)exit('key error');
$kl=strlen($ky)<32?strlen($ky):32;
$k=array();for($i=0;$i<$kl;$i++){
$k[$i]=ord($ky{$i})&0x1F;}
$j=0;for($i=0;$i<strlen($str);$i++){
$e=ord($str{$i});
$str{$i}=$e&0xE0?chr($e^$k[$j]):chr($e);
$j++;$j=$j==$kl?0:$j;}
return $str;
}
///////////////////////////////////

// Secret key to encrypt/decrypt with
$key='mysecretkey'; // 8-32 characters without spaces

// String to encrypt
$string1='To be or not to be, that is the question';

// EnCrypt string
$string2=convert($string1,$key);

// DeCrypt back
$string3=convert($string2,$key);

// Test output
echo '<span style="font-family:Courier">'."\n";
echo 'Key: '.$key.'<br>'."\n";
echo $string1.'<br>'."\n";
echo $string2.'<br>'."\n";
echo $string3.'<br>'."\n";
echo '</span>'."\n";
?> 
You can specify your own key to make it more secure.

It's from http://www.phpbuilder.com/board/showthr ... t=10326721
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Re: i need to create a custom encrypt and decrypt function

Post by Benjamin »

Here's an RC4 encrypt/decrypt function. This was taken off the web from someplace. The original had some errors, which have been corrected in this version.

Code: Select all

function RC4($pwd, $data) {
    $pwd_length = strlen($pwd);
    $x = $Zcrypt = $j = $a = null;
    for ($i = 0; $i <= 255; $i++)
    {
          $key[$i] = ord(substr($pwd, ($i % $pwd_length)+1, 1));
          $counter[$i] = $i;
    }

    for ($i = 0; $i <= 255; $i++)
    {
        $x = ($x + $counter[$i] + $key[$i]) % 256;
        $temp_swap = $counter[$i];
        $counter[$i] = $counter[$x];
        $counter[$x] = $temp_swap;
    }

    for ($i = 0; $i < strlen($data); $i++)
    {
        $a = ($a + 1) % 256;
        $j = ($j + $counter[$a]) % 256;
        $temp = $counter[$a];
        $counter[$a] = $counter[$j];
        $counter[$j] = $temp;
        $k = $counter[(($counter[$a] + $counter[$j]) % 256)];
        $Zcipher = ord(substr($data, $i, 1)) ^ $k;
        $Zcrypt .= chr($Zcipher);
    }

    return $Zcrypt;
}
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: i need to create a custom encrypt and decrypt function

Post by Christopher »

s.dot wrote:I have a central site that will post login authorization to several sites. The remote sites will check that the supplied username and password are correct.

The problem is sending the password in plain text to the remote sites. The other problem is the remote sites will have their passwords stored in different formats (plain text, md5, sha, etc).
Do you control all of these sites?
When you say (plain text, md5, sha, etc) how many are there really?

If it is just md5 and sha, you could concat the md5 and sha of the password. Then the recieving sites would either use the sha or md5 part, or if they had plain text passwords stored then md5 the password and compare to what is passed.
(#10850)
User avatar
Apollo
Forum Regular
Posts: 794
Joined: Wed Apr 30, 2008 2:34 am

Re: i need to create a custom encrypt and decrypt function

Post by Apollo »

The alternatives above are probably more suitable to you, but just for sake of completeness, you could also abuse SQL encryption functions:

Code: Select all

mysql_query("SELECT AES_ENCRYPT('password','key')");
(or DES_ENCRYPT etc)
Post Reply