Page 1 of 2
Encryption
Posted: Thu Aug 29, 2002 9:03 am
by Zeceer
I'm wondering on how to crypt data in PHP. I then think about transferring Visa, MasterCard and so on over the Internet and in to a mail account. I've read a little about the crypt() function. Are there ant good way?
Posted: Thu Aug 29, 2002 9:08 am
by hob_goblin
crypt() is one way... so don't use it... not sure about two way encryptions, i dont know any
Posted: Thu Aug 29, 2002 9:11 am
by nielsene
PHP has several cryptography functions
crypt, MD5, mcrypt_*, and openssl_* all offer different types of encryption technologies.
Both crypt and MD5 are one-way, irreversible hash functions good for protecting passwords or MAC'ing. mcrypt gives a wide suite of encryption/decrption symmetric key algorithms. The openssl functions provides publc key asymmetric algorithms. Depending on your application any or all of these may be useful.
Also if you are submiting credit card data or other sensitive/private data you should be using ssl at the server level as well.
Posted: Thu Aug 29, 2002 9:43 am
by Takuma
MD5 is the best for encryption password. (You cannot decript it unless you use brute force attack)
Posted: Thu Aug 29, 2002 9:47 am
by nielsene
I beg to differ, MD5 is not the best. SHA1 is probably a better hashing function. And stored passwords should be salted, which is why I prefer crypt, invoked using MD5 as its hash instead of 3DES.
Posted: Thu Aug 29, 2002 9:56 am
by hob_goblin
Takuma wrote:MD5 is the best for encryption password. (You cannot decript it unless you use brute force attack)
Why am I not doubting it's probably the only or one of about two encryption methods you've used?
Posted: Thu Aug 29, 2002 9:59 am
by twigletmac
hob_goblin wrote:Takuma wrote:MD5 is the best for encryption password. (You cannot decript it unless you use brute force attack)
Why am I not doubting it's probably the only or one of about two encryption methods you've used?
Play nice kids...
Mac
Posted: Thu Aug 29, 2002 10:01 am
by nielsene
If you're interested learning more about crypto in general without diving too deep right away RSA's website has a good
FAQ
Ie if you want to know when a hash is appropriate or when secret-key is better then public, etc. I've found it to be a great starting point to figure out what I need to learn more about.
Posted: Thu Aug 29, 2002 10:09 am
by samscripts
Hi, I found a tutorial on webmonkey:
http://hotwired.lycos.com/webmonkey/pro ... rial1.html
introduction says it covers:
Encryption options, PGP, GnuPG
Hashes, one-way encoding, mcrypt and mhash libraries
hope this helps, Sam
Posted: Thu Aug 29, 2002 10:25 am
by nielsene
I just read over the tutorial samscripts linked and its quite good. It does gloss over some important uses for public-key crypto and it doesn't show how to use crypt in MD5/Blowfish modes, but otherwise it provides a very good introduction to how to use all the php encryption stuff. (you can use the experimental openssl_* functions instead of PGP and system() calls)
Posted: Thu Aug 29, 2002 10:50 am
by nielsene
For illustration purposes here's how a site could use all the types of encryption availible for different, worthwhile purposes.
User passwords: stored salted and hashed using crypt($password,$salt) where $salt ="$1$" and 12 random characters (maybe a substring of MD5(microtime().getmypid()). Test passwords by (crypt($enteredPass,$storedPass)==$stroredPass)
Session hijack detection: create a MD5 hash of client IP and sessionID, recompare on every page, to see if someone is tampering with sessionIDs.
Protecting sensative information ( maybe street mailing addres,, telephone numbers, SSNs, DOBs, CC's etc): this is data that may be seldom used, but is stored in your database. Using the mcrypt library you can safely encrypt/decrypt it so that a database leak won't expose this information. If you need to search the data base for these values, you'll need to encrypt the search term first. (If you need to do a regex type search you're out of luck with this option, so it makes sense for things you seldom/never use as search terms).
Password reminders: public/private key makes sense here for sending a user their password over the insecure email channel. Encrpyt with their public key and sign with your sites secret key and only they can read the email and they know you sent it.
Now most sites don't need to be this paranoid, but it might show how the different tools are useful.
Posted: Thu Aug 29, 2002 4:24 pm
by gotDNS
MD5 IS in fact, one of the best forms of encryption. Technically, if it cannot be decrypted -(the only way to figure it out is to hash every possible "thing" and match it to the hash (MD5 is irreversable))- , it can't be BAD at all. Any other hash function may be EQUALLY as good, but i see no way that it can be beter...irreversable is irreversable.
Posted: Fri Aug 30, 2002 10:30 am
by nielsene
Just to support my position on MD5, the reason why SHA1 or RIPEMD-160 are considered better is that both produce 160 bit digest as opposed to the 128 bit digest used in MD5 (and MD4, MDC2, and MD2). The longer digest leads to a smaller chance of hash collisions which increases the security of the hash.
In addition there are times when you need a reversible encryption; there are many times when simply encrypting the test data to test against the stored value can't or won't work, so its good to know about the other methods availible.
Posted: Fri Aug 30, 2002 3:53 pm
by Takuma
OK, I admit I didn't know anything about encryption... But do you guys know where I can find out about "Salting"?
Posted: Fri Aug 30, 2002 9:01 pm
by gotDNS
Irreversable hashes are good. I like them. They bring security. Muy.