Encryption

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

User avatar
Zeceer
Forum Contributor
Posts: 136
Joined: Fri Aug 02, 2002 5:10 am
Location: Norway

Encryption

Post by Zeceer »

I'm wondering on how to crypt data in PHP. I then think about transferring Visa, MasterCard and so on over the Internet and in to a mail account. I've read a little about the crypt() function. Are there ant good way?
User avatar
hob_goblin
Forum Regular
Posts: 978
Joined: Sun Apr 28, 2002 9:53 pm
Contact:

Post by hob_goblin »

crypt() is one way... so don't use it... not sure about two way encryptions, i dont know any
User avatar
nielsene
DevNet Resident
Posts: 1834
Joined: Fri Aug 16, 2002 8:57 am
Location: Watertown, MA

Post by nielsene »

PHP has several cryptography functions
crypt, MD5, mcrypt_*, and openssl_* all offer different types of encryption technologies.

Both crypt and MD5 are one-way, irreversible hash functions good for protecting passwords or MAC'ing. mcrypt gives a wide suite of encryption/decrption symmetric key algorithms. The openssl functions provides publc key asymmetric algorithms. Depending on your application any or all of these may be useful.

Also if you are submiting credit card data or other sensitive/private data you should be using ssl at the server level as well.
User avatar
Takuma
Forum Regular
Posts: 931
Joined: Sun Aug 04, 2002 10:24 am
Location: UK
Contact:

Post by Takuma »

MD5 is the best for encryption password. (You cannot decript it unless you use brute force attack)
User avatar
nielsene
DevNet Resident
Posts: 1834
Joined: Fri Aug 16, 2002 8:57 am
Location: Watertown, MA

Post by nielsene »

I beg to differ, MD5 is not the best. SHA1 is probably a better hashing function. And stored passwords should be salted, which is why I prefer crypt, invoked using MD5 as its hash instead of 3DES.
User avatar
hob_goblin
Forum Regular
Posts: 978
Joined: Sun Apr 28, 2002 9:53 pm
Contact:

Post by hob_goblin »

Takuma wrote:MD5 is the best for encryption password. (You cannot decript it unless you use brute force attack)
Why am I not doubting it's probably the only or one of about two encryption methods you've used?
User avatar
twigletmac
Her Royal Site Adminness
Posts: 5371
Joined: Tue Apr 23, 2002 2:21 am
Location: Essex, UK

Post by twigletmac »

hob_goblin wrote:
Takuma wrote:MD5 is the best for encryption password. (You cannot decript it unless you use brute force attack)
Why am I not doubting it's probably the only or one of about two encryption methods you've used?
Play nice kids...

Mac
User avatar
nielsene
DevNet Resident
Posts: 1834
Joined: Fri Aug 16, 2002 8:57 am
Location: Watertown, MA

Post by nielsene »

If you're interested learning more about crypto in general without diving too deep right away RSA's website has a good FAQ

Ie if you want to know when a hash is appropriate or when secret-key is better then public, etc. I've found it to be a great starting point to figure out what I need to learn more about.
samscripts
Forum Commoner
Posts: 57
Joined: Tue Apr 23, 2002 4:34 pm
Location: London, UK

Post by samscripts »

Hi, I found a tutorial on webmonkey:

http://hotwired.lycos.com/webmonkey/pro ... rial1.html

introduction says it covers:

Encryption options, PGP, GnuPG
Hashes, one-way encoding, mcrypt and mhash libraries

hope this helps, Sam
User avatar
nielsene
DevNet Resident
Posts: 1834
Joined: Fri Aug 16, 2002 8:57 am
Location: Watertown, MA

Post by nielsene »

I just read over the tutorial samscripts linked and its quite good. It does gloss over some important uses for public-key crypto and it doesn't show how to use crypt in MD5/Blowfish modes, but otherwise it provides a very good introduction to how to use all the php encryption stuff. (you can use the experimental openssl_* functions instead of PGP and system() calls)
User avatar
nielsene
DevNet Resident
Posts: 1834
Joined: Fri Aug 16, 2002 8:57 am
Location: Watertown, MA

Post by nielsene »

For illustration purposes here's how a site could use all the types of encryption availible for different, worthwhile purposes.

User passwords: stored salted and hashed using crypt($password,$salt) where $salt ="$1$" and 12 random characters (maybe a substring of MD5(microtime().getmypid()). Test passwords by (crypt($enteredPass,$storedPass)==$stroredPass)

Session hijack detection: create a MD5 hash of client IP and sessionID, recompare on every page, to see if someone is tampering with sessionIDs.

Protecting sensative information ( maybe street mailing addres,, telephone numbers, SSNs, DOBs, CC's etc): this is data that may be seldom used, but is stored in your database. Using the mcrypt library you can safely encrypt/decrypt it so that a database leak won't expose this information. If you need to search the data base for these values, you'll need to encrypt the search term first. (If you need to do a regex type search you're out of luck with this option, so it makes sense for things you seldom/never use as search terms).

Password reminders: public/private key makes sense here for sending a user their password over the insecure email channel. Encrpyt with their public key and sign with your sites secret key and only they can read the email and they know you sent it.

Now most sites don't need to be this paranoid, but it might show how the different tools are useful.
User avatar
gotDNS
Forum Contributor
Posts: 217
Joined: Tue May 07, 2002 5:53 pm
Location: West Chester, PA

Post by gotDNS »

MD5 IS in fact, one of the best forms of encryption. Technically, if it cannot be decrypted -(the only way to figure it out is to hash every possible "thing" and match it to the hash (MD5 is irreversable))- , it can't be BAD at all. Any other hash function may be EQUALLY as good, but i see no way that it can be beter...irreversable is irreversable.
User avatar
nielsene
DevNet Resident
Posts: 1834
Joined: Fri Aug 16, 2002 8:57 am
Location: Watertown, MA

Post by nielsene »

Just to support my position on MD5, the reason why SHA1 or RIPEMD-160 are considered better is that both produce 160 bit digest as opposed to the 128 bit digest used in MD5 (and MD4, MDC2, and MD2). The longer digest leads to a smaller chance of hash collisions which increases the security of the hash.

In addition there are times when you need a reversible encryption; there are many times when simply encrypting the test data to test against the stored value can't or won't work, so its good to know about the other methods availible.
User avatar
Takuma
Forum Regular
Posts: 931
Joined: Sun Aug 04, 2002 10:24 am
Location: UK
Contact:

Post by Takuma »

OK, I admit I didn't know anything about encryption... But do you guys know where I can find out about "Salting"?
User avatar
gotDNS
Forum Contributor
Posts: 217
Joined: Tue May 07, 2002 5:53 pm
Location: West Chester, PA

Post by gotDNS »

Irreversable hashes are good. I like them. They bring security. Muy.
Post Reply