Simple Encryption / Decryption

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
tkarven
Forum Commoner
Posts: 41
Joined: Tue Aug 02, 2005 10:26 pm

Simple Encryption / Decryption

Post by tkarven »

Hi,

How can we perform a simple two ways encryption? MD5 and crypt is out since it's one way and mcrypt is out as well where i dont have root access to the server.

I dont really need superb security for those data, but just some sort of encryption to make it not human-readable, that's all.

Thanks for any help in advance.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

base64_encode() tastes like grog.....


yar.
tkarven
Forum Commoner
Posts: 41
Joined: Tue Aug 02, 2005 10:26 pm

Post by tkarven »

Simple and perfect. Thanks so much feyd
User avatar
$var
Forum Contributor
Posts: 317
Joined: Thu Aug 18, 2005 8:30 pm
Location: Toronto

Post by $var »

I was testing it just putting the values in hard coded,
and I think that it offers the basic security that I need.... it's good for face saving at least...

I just wanted to ask if this looks right for appyling it to the insert page
so that it encodes the password that user entered:

Code: Select all

$sql = "INSERT INTO * (Password) VALUES ('"base64_encode(.$_POST["password"].)"')";
<br>

Code: Select all

Password ='".str_replace("'","'",base64_encode($_POST["password"]);
I have it placed inside the .str_replace because I want to include the ' if it gets used.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

I would highly suggest not storing a password in base64 encoding.. MD5, or some other one-way hashing is best used for it.

Aside from that, your concept is fine, but the code will fail to parse.. ;)
User avatar
_dev
Forum Newbie
Posts: 9
Joined: Tue Sep 20, 2005 4:15 am
Location: Austria

Post by _dev »

i'd always use one-way encryption, but if it needs to be 2-ways, i've found that sometime on the web

Code: Select all

<?php

/**********************************************
**
** MD5 block cypher
**
** Author..: leapinglangoor [ leapinglangoor@yahoo.co.in ]
** Date....: 30th Apr 2005
** version.: v1.00
**
** Desc....: Below is MD5-based block cypher ( MDC-like ),
** which works in 128bit CFB mode. It is very useful to
** encrypt secret data before transfer it over the network.
**
** $iv_len - initialization vector's length.
** 0 <= $iv_len <= 512
**
************************************************/

function get_rnd_iv( $iv_len )
{

    $iv = '';
    while ( $iv_len-- > 0 )
    {
         $iv .= chr( mt_rand(  ) & 0xff );
    }

     return $iv;
}

function md5_encrypt( $plain_text, $password, $iv_len = 16 )
{

    $plain_text .= "\x13";
    $n = strlen( $plain_text );
    if ( $n % 16 )
    {
        $plain_text .= str_repeat( "\0", 16 - ( $n % 16 ) );
    }

    $i = 0;
    $enc_text = get_rnd_iv( $iv_len );
    $iv = substr( $password ^ $enc_text, 0, 512 );
    while ( $i < $n )
    {
         $block = substr( $plain_text, $i, 16 ) ^ pack( 'H*', md5( $iv ) );
         $enc_text .= $block;
         $iv = substr( $block . $iv, 0, 512 ) ^ $password;
         $i += 16;
    }

    return base64_encode( $enc_text );

}


function md5_decrypt( $enc_text, $password, $iv_len = 16 )
{

    $enc_text = base64_decode( $enc_text );
    $n = strlen( $enc_text );
    $i = $iv_len;
    $plain_text = '';
    $iv = substr( $password ^ substr( $enc_text, 0, $iv_len ), 0, 512 );
    while ( $i < $n )
    {
         $block = substr( $enc_text, $i, 16 );
         $plain_text .= $block ^ pack( 'H*', md5( $iv ) );
         $iv = substr( $block . $iv, 0, 512 ) ^ $password;
         $i += 16;
    }

    return preg_replace( '/\\x13\\x00*$/', '', $plain_text );

}

?>

example.php:

<?php

include( 'md5.php' );

$plain_text = 'very secret string';
$password = 'very secret password';

echo "plain text is: [${plain_text}]<br />\n";
echo "password is: [${password}]<br />\n";

$enc_text = md5_encrypt( $plain_text, $password );
echo "encrypted text is: [${enc_text}]<br />\n";

$plain_text2 = md5_decrypt( $enc_text, $password );
echo "decrypted text is: [${plain_text2}]<br />\n";

?>
User avatar
$var
Forum Contributor
Posts: 317
Joined: Thu Aug 18, 2005 8:30 pm
Location: Toronto

Post by $var »

I thought that MD5 was recently discovered as cracked with the GForce site or whatever?
It's still good enough? I mean, either way if you want the info, you can get it...
I was just putting that little extra step in... it's really not vital info, no credit cards.
User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Post by Jenk »

As pointed out by those above, it's not an ideal solution to store a basecode value.

If you are looking to use this just for a login, then use md5, store the md5 password and compare the md5 of the users input to the value of the password field, like below:

Code: Select all

<?php

/* when entering the users details into the system, 
disregarding the check to see if they already exist for now: */

mysql_connect('bobshost', 'bob', 'bobspassword') or die('Could not connect');

mysql_select_db('bobsdb') or die("Couldn't select DB");

$uname = mysql_real_escape_string($_POST['username']);

$pwd = md5($_POST['password']);

mysql_query("INSERT INTO bobstable(uname, pwd) VALUES ('$uname', '$pwd')");

if (mysql_affected_rows() < 1) {
    die('Error inserting user details');
}

?>

Code: Select all

<?php

/* On login page... */

mysql_connect('bobshost', 'bob', 'bobspassword') or die('Could not connect');

mysql_select_db('bobsdb') or die("Couldn't select DB");

$uname = mysql_real_escape_string($_POST['username']);

$pwd = md5($_POST['password']);

$result = mysql_query("SELECT * FROM bobstable WHERE uname = '$uname' AND pwd = '$pwd'");

if (!$result) {
    die('Error with Query');
}

if (mysql_num_rows($result) < 1) {
    die('Incorrect Login Details!');
}
?>
User avatar
$var
Forum Contributor
Posts: 317
Joined: Thu Aug 18, 2005 8:30 pm
Location: Toronto

Post by $var »

cool.... sounds good. thanks for clearing that up.
User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Post by Jenk »

As far as I know, MD5 is un crackable. The only way to get past it is to 'fluke' it by means of brute force.

I.E. leave a comp running to try every possibly conceivable combination of characters until you find a matching MD5.

Have a value greater than 5 characters and you'll be waiting hours, more than 8 and you'll be waiting weeks.

But there are people that determined... which is why it is good practice to limit the number of attempts before locking the account someone is trying to force.
Post Reply