Page 1 of 1
i need to create a custom encrypt and decrypt function
Posted: Wed Apr 21, 2010 10:34 am
by s.dot
I have a central site that will post login authorization to several sites. The remote sites will check that the supplied username and password are correct.
The problem is sending the password in plain text to the remote sites. The other problem is the remote sites will have their passwords stored in different formats (plain text, md5, sha, etc).
So, I need to send the password encrypted and provide a function in the remote script to decrypt the password into plain text so the remote script can then hash it appropriately to match the format it is stored in in the remote database.
Not all servers will have mcrypt extension enabled, so that is ruled out.
The only solution I can think of is creating a custom encrypt and decrypt function. Is this correct?
The solution does not need to be super strong, but strong enough that it is not very easily reversible (like base64 encode/decode).
Here's my crappy start that is laughworthy:
Code: Select all
function encrypt($pw, $key)
{
$strlen = strlen($pw);
$padded = str_pad($pw, 255, 'x', STR_PAD_RIGHT);
$i = 0;
$j = 0;
$out = '';
foreach ((array) $key AS $keychar)
{
foreach ((array) $padded AS $paddedchar)
{
echo $keychar;
echo $paddedchar;
exit;
if (($paddedchar[$j] % 5) == 0)
{
$out .= $keychar[$i] . $paddedchar[$j];
} else
{
$out .= $paddedchar[$j];
}
$j++;
}
$i++;
}
echo $out;
}
Shared key is preferred and I don't mind the shared key being in the remote script. Again, the *only* goal is to prevent the password from being transmitted in plain text or easily reversible.
Re: i need to create a custom encrypt and decrypt function
Posted: Wed Apr 21, 2010 10:50 am
by Apollo
Re: i need to create a custom encrypt and decrypt function
Posted: Wed Apr 21, 2010 10:52 am
by s.dot
I am sticking to core php functions or a custom function since I will not have the ability to enable extensions on the remote servers.
Re: i need to create a custom encrypt and decrypt function
Posted: Wed Apr 21, 2010 11:07 am
by dejvos
So, may be you can try some
PEAR package.
Re: i need to create a custom encrypt and decrypt function
Posted: Wed Apr 21, 2010 1:40 pm
by flying_circus
s.dot wrote:The problem is sending the password in plain text to the remote sites.
SSL is not an option?
Re: i need to create a custom encrypt and decrypt function
Posted: Wed Apr 21, 2010 2:12 pm
by requinix
I advise against creating your own encryption/decryption scheme. No offense, but I don't think you can come up with a good, secure system. (I probably couldn't either.)
+1 to using SSL.
Re: i need to create a custom encrypt and decrypt function
Posted: Wed Apr 21, 2010 8:38 pm
by s.dot
Hmm, noted.
As it is now, the passwords are sent in plain text via POST to the remote servers.
If I have SSL, will the remote servers need to be ssl-enabled?
Re: i need to create a custom encrypt and decrypt function
Posted: Thu Apr 22, 2010 2:36 am
by Apollo
If you google around for e.g. rijndael encryption in javascript, you'll find open source implementations which you can easily convert to PHP.
Perhaps there are open source PHP implementations available too, but I guess they're less common since most people typically use the default mcrypt functions.
s.dot wrote:If I have SSL, will the remote servers need to be ssl-enabled?
Yes, although in this case you could probably do with a self-signed certificate.
Re: i need to create a custom encrypt and decrypt function
Posted: Thu Apr 22, 2010 11:01 am
by s.dot
OK, so I can't go SSL, since I down own or control the remote servers, and for this reason mcrypt will not always be available. And the general consensus seems to be that a custom encrypt/decrypt function would not be much better than plain text.
Hmm what to do what to do.
Are there php implementationa of mcrypt (such as a class or function) that would be available to hardcode into the remote script?
Re: i need to create a custom encrypt and decrypt function
Posted: Thu Apr 22, 2010 11:22 am
by flying_circus
If the remote servers are accepting a username / password pair without SSL, I'd question the security of the remote server. But, I suppose that depends on what kind of information the remote servers are protecting. This forum, for example, does not use SSL, so when we log in, our credentials are sent in plain text.
Figure out how the remote servers accept login credentials. There is no point for you to encrypt them up to the point of the final hop, and then send them plain text.
Re: i need to create a custom encrypt and decrypt function
Posted: Thu Apr 22, 2010 2:29 pm
by s.dot
The remote servers are accepting the login credentials via a php script, with POST data being sent to it. This script simply sends back a 'VALID' or 'INVALID' response for the login credentials supplied.
I don't care about the security of the remote systems (not my problem), however, I do not want to send the passwords to them in plain text. It's not really that big of an issue since the passwords are mostly being stored in plain text on the remote servers, but I don't want someone pointing to me saying I leaked their password info by sending it in plain text.
This is where I think a custom (or php-alized) encrypt/decrypt solution would be best. So then I can send an encrypted version of the password, and have the remote php script decrypt it and then apply the appropriate hashing algorithm to match their set up and return a valid or invalid response.
I should note that this is not a very highly sensitive login we're talking about here. No data is being protected that is private or secret-worthy. However, I understand that many people use the same password for multiple sites, so I want to be a little bit more secure on my end.
Re: i need to create a custom encrypt and decrypt function
Posted: Thu Apr 22, 2010 3:40 pm
by Li0rE
I think this is what you're looking for:
Code: Select all
<?php
// String EnCrypt + DeCrypt function
// Author: halojoy, July 2006
function convert($str,$ky=''){
if($ky=='')return $str;
$ky=str_replace(chr(32),'',$ky);
if(strlen($ky)<8)exit('key error');
$kl=strlen($ky)<32?strlen($ky):32;
$k=array();for($i=0;$i<$kl;$i++){
$k[$i]=ord($ky{$i})&0x1F;}
$j=0;for($i=0;$i<strlen($str);$i++){
$e=ord($str{$i});
$str{$i}=$e&0xE0?chr($e^$k[$j]):chr($e);
$j++;$j=$j==$kl?0:$j;}
return $str;
}
///////////////////////////////////
// Secret key to encrypt/decrypt with
$key='mysecretkey'; // 8-32 characters without spaces
// String to encrypt
$string1='To be or not to be, that is the question';
// EnCrypt string
$string2=convert($string1,$key);
// DeCrypt back
$string3=convert($string2,$key);
// Test output
echo '<span style="font-family:Courier">'."\n";
echo 'Key: '.$key.'<br>'."\n";
echo $string1.'<br>'."\n";
echo $string2.'<br>'."\n";
echo $string3.'<br>'."\n";
echo '</span>'."\n";
?>
You can specify your own key to make it more secure.
It's from
http://www.phpbuilder.com/board/showthr ... t=10326721
Re: i need to create a custom encrypt and decrypt function
Posted: Thu Apr 22, 2010 3:43 pm
by Benjamin
Here's an RC4 encrypt/decrypt function. This was taken off the web from someplace. The original had some errors, which have been corrected in this version.
Code: Select all
function RC4($pwd, $data) {
$pwd_length = strlen($pwd);
$x = $Zcrypt = $j = $a = null;
for ($i = 0; $i <= 255; $i++)
{
$key[$i] = ord(substr($pwd, ($i % $pwd_length)+1, 1));
$counter[$i] = $i;
}
for ($i = 0; $i <= 255; $i++)
{
$x = ($x + $counter[$i] + $key[$i]) % 256;
$temp_swap = $counter[$i];
$counter[$i] = $counter[$x];
$counter[$x] = $temp_swap;
}
for ($i = 0; $i < strlen($data); $i++)
{
$a = ($a + 1) % 256;
$j = ($j + $counter[$a]) % 256;
$temp = $counter[$a];
$counter[$a] = $counter[$j];
$counter[$j] = $temp;
$k = $counter[(($counter[$a] + $counter[$j]) % 256)];
$Zcipher = ord(substr($data, $i, 1)) ^ $k;
$Zcrypt .= chr($Zcipher);
}
return $Zcrypt;
}
Re: i need to create a custom encrypt and decrypt function
Posted: Thu Apr 22, 2010 6:22 pm
by Christopher
s.dot wrote:I have a central site that will post login authorization to several sites. The remote sites will check that the supplied username and password are correct.
The problem is sending the password in plain text to the remote sites. The other problem is the remote sites will have their passwords stored in different formats (plain text, md5, sha, etc).
Do you control all of these sites?
When you say (plain text, md5, sha, etc) how many are there really?
If it is just md5 and sha, you could concat the md5 and sha of the password. Then the recieving sites would either use the sha or md5 part, or if they had plain text passwords stored then md5 the password and compare to what is passed.
Re: i need to create a custom encrypt and decrypt function
Posted: Fri Apr 23, 2010 6:03 am
by Apollo
The alternatives above are probably more suitable to you, but just for sake of completeness, you could also abuse SQL encryption functions:
Code: Select all
mysql_query("SELECT AES_ENCRYPT('password','key')");
(or DES_ENCRYPT etc)