String encrypt/decrypt

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
mcurry
Forum Newbie
Posts: 12
Joined: Tue Jan 21, 2003 3:41 pm

String encrypt/decrypt

Post by mcurry »

Anyone know of a way to encrypt a string, so that if any character of the encryted string are changed, it can not be decrypted? Or at least the decrypted string will be fairly messed up? I've tried some, but messing up a character or two still allows the string to be unencrypted fairly accurately. Thanks.
m3rajk
DevNet Resident
Posts: 1191
Joined: Mon Jun 02, 2003 3:37 pm

Post by m3rajk »

have you looked at rsa? des? blowfish? idea?
mcurry
Forum Newbie
Posts: 12
Joined: Tue Jan 21, 2003 3:41 pm

Post by mcurry »

No...I was mostly looking at the classes at phpclasses.org. I was hoping I wouldn't have to install the mcrypt library and rebuild php. Will one/all of these do what I'm looking for?
m3rajk
DevNet Resident
Posts: 1191
Joined: Mon Jun 02, 2003 3:37 pm

Post by m3rajk »

they should, and so should sha, which i think mcrypt will use even without a specifically built library.

the real gurus in security (which is what this falls under) are neilsene and mcgruff. one of them should see this by the end of the day and be able to give you what you need to do it. i'll deferr to them.
User avatar
phpcoder
Forum Contributor
Posts: 158
Joined: Sat Nov 02, 2002 1:18 pm
Location: Manchester, UK

Post by phpcoder »

There r different algos that u can use to encrypt ur data and if some one makes any change in encrypted data then the resultant data or string will be not the rite one .
you can use algo like to map ist char of alphabet with 3rd one or some thing like this but keep it secret . :wink:
User avatar
nielsene
DevNet Resident
Posts: 1834
Joined: Fri Aug 16, 2002 8:57 am
Location: Watertown, MA

Post by nielsene »

What have you been trying?

What is your hosting environment? Shared/Dedicated? How commonly do you have to decrypt? Are you encrypting to provide for secrecy/privacy or just to check tampering?
mcurry
Forum Newbie
Posts: 12
Joined: Tue Jan 21, 2003 3:41 pm

Post by mcurry »

I have been playing with AzDGCrypt class from phpclasses. It works well, but if I mess with some of the encrypted characters the string will still decrypt fairly well. I have a dedicated environment. The decrypting will not be done very often. The purpose of this is provide security and prevent tampering. The string being encrypted is an SQL query. I want to make sure that if the it is tampered with the resulting decrypted string will not run.
User avatar
nielsene
DevNet Resident
Posts: 1834
Joined: Fri Aug 16, 2002 8:57 am
Location: Watertown, MA

Post by nielsene »

OK dedicating hosting, good. So symmetric ciphers or public key methods are possible.

I would strongly suggest using either the mcrypt library or the openSSL one or both.

To prevent tampering the best way is to use a MAC, which will be a oneway hash, either MD5 or SHA1. MD5 is built-in to PHP, SHA1 is in the mcrypt library. You'll do something like:

Code: Select all

$MAC = MD5($query. $serversecret);
store the $MAC in the database with the query, before running the
query recompute the $MAC and compare. If they differ, then someone tampered with the $query. Typically speaking, changing a character in the $query will causing a complete change of the output of the hash.

To offer privacy, as the decryption is rare, I would use a Public/Private key pair from the openSSL library, encrypt the string with the public key and then save that. Store the private key off-line and enter it when you need it on the rare occasions to decrypt it. This will require a person-in-the-loop for decrption. You can still use the MAC. In your case I would do the MAC calculations pre-encryption and post-decryption.
mcurry
Forum Newbie
Posts: 12
Joined: Tue Jan 21, 2003 3:41 pm

Post by mcurry »

Thanks for all the help. I'm not sure which way I'm going to go with yet. Another method I'm playing with is to bzcompress the string first, then encode it. This seems to do a pretty good job of making the encryted string tamper resistant and is fairly easy to implement.
User avatar
nielsene
DevNet Resident
Posts: 1834
Joined: Fri Aug 16, 2002 8:57 am
Location: Watertown, MA

Post by nielsene »

I'ld hesitate to do that. Compression is not meant to be encryption method.... Creating "home-grown" encryption out of other tools is almost certain to be flawed and weak security.

If tamper resistant is all you need, just use the MAC method and don't even bother encrypting....
Post Reply