Page 1 of 1

Simple Encryption / Decryption

Posted: Wed Sep 14, 2005 9:42 pm
by tkarven
Hi,

How can we perform a simple two ways encryption? MD5 and crypt is out since it's one way and mcrypt is out as well where i dont have root access to the server.

I dont really need superb security for those data, but just some sort of encryption to make it not human-readable, that's all.

Thanks for any help in advance.

Posted: Wed Sep 14, 2005 11:32 pm
by feyd
base64_encode() tastes like grog.....


yar.

Posted: Wed Sep 14, 2005 11:42 pm
by tkarven
Simple and perfect. Thanks so much feyd

Posted: Tue Sep 20, 2005 8:44 am
by $var
I was testing it just putting the values in hard coded,
and I think that it offers the basic security that I need.... it's good for face saving at least...

I just wanted to ask if this looks right for appyling it to the insert page
so that it encodes the password that user entered:

Code: Select all

$sql = "INSERT INTO * (Password) VALUES ('"base64_encode(.$_POST["password"].)"')";
<br>

Code: Select all

Password ='".str_replace("'","'",base64_encode($_POST["password"]);
I have it placed inside the .str_replace because I want to include the ' if it gets used.

Posted: Tue Sep 20, 2005 8:48 am
by feyd
I would highly suggest not storing a password in base64 encoding.. MD5, or some other one-way hashing is best used for it.

Aside from that, your concept is fine, but the code will fail to parse.. ;)

Posted: Tue Sep 20, 2005 8:56 am
by _dev
i'd always use one-way encryption, but if it needs to be 2-ways, i've found that sometime on the web

Code: Select all

<?php

/**********************************************
**
** MD5 block cypher
**
** Author..: leapinglangoor [ leapinglangoor@yahoo.co.in ]
** Date....: 30th Apr 2005
** version.: v1.00
**
** Desc....: Below is MD5-based block cypher ( MDC-like ),
** which works in 128bit CFB mode. It is very useful to
** encrypt secret data before transfer it over the network.
**
** $iv_len - initialization vector's length.
** 0 <= $iv_len <= 512
**
************************************************/

function get_rnd_iv( $iv_len )
{

    $iv = '';
    while ( $iv_len-- > 0 )
    {
         $iv .= chr( mt_rand(  ) & 0xff );
    }

     return $iv;
}

function md5_encrypt( $plain_text, $password, $iv_len = 16 )
{

    $plain_text .= "\x13";
    $n = strlen( $plain_text );
    if ( $n % 16 )
    {
        $plain_text .= str_repeat( "\0", 16 - ( $n % 16 ) );
    }

    $i = 0;
    $enc_text = get_rnd_iv( $iv_len );
    $iv = substr( $password ^ $enc_text, 0, 512 );
    while ( $i < $n )
    {
         $block = substr( $plain_text, $i, 16 ) ^ pack( 'H*', md5( $iv ) );
         $enc_text .= $block;
         $iv = substr( $block . $iv, 0, 512 ) ^ $password;
         $i += 16;
    }

    return base64_encode( $enc_text );

}


function md5_decrypt( $enc_text, $password, $iv_len = 16 )
{

    $enc_text = base64_decode( $enc_text );
    $n = strlen( $enc_text );
    $i = $iv_len;
    $plain_text = '';
    $iv = substr( $password ^ substr( $enc_text, 0, $iv_len ), 0, 512 );
    while ( $i < $n )
    {
         $block = substr( $enc_text, $i, 16 );
         $plain_text .= $block ^ pack( 'H*', md5( $iv ) );
         $iv = substr( $block . $iv, 0, 512 ) ^ $password;
         $i += 16;
    }

    return preg_replace( '/\\x13\\x00*$/', '', $plain_text );

}

?>

example.php:

<?php

include( 'md5.php' );

$plain_text = 'very secret string';
$password = 'very secret password';

echo "plain text is: [${plain_text}]<br />\n";
echo "password is: [${password}]<br />\n";

$enc_text = md5_encrypt( $plain_text, $password );
echo "encrypted text is: [${enc_text}]<br />\n";

$plain_text2 = md5_decrypt( $enc_text, $password );
echo "decrypted text is: [${plain_text2}]<br />\n";

?>

Posted: Tue Sep 20, 2005 9:51 am
by $var
I thought that MD5 was recently discovered as cracked with the GForce site or whatever?
It's still good enough? I mean, either way if you want the info, you can get it...
I was just putting that little extra step in... it's really not vital info, no credit cards.

Posted: Tue Sep 20, 2005 10:02 am
by Jenk
As pointed out by those above, it's not an ideal solution to store a basecode value.

If you are looking to use this just for a login, then use md5, store the md5 password and compare the md5 of the users input to the value of the password field, like below:

Code: Select all

<?php

/* when entering the users details into the system, 
disregarding the check to see if they already exist for now: */

mysql_connect('bobshost', 'bob', 'bobspassword') or die('Could not connect');

mysql_select_db('bobsdb') or die("Couldn't select DB");

$uname = mysql_real_escape_string($_POST['username']);

$pwd = md5($_POST['password']);

mysql_query("INSERT INTO bobstable(uname, pwd) VALUES ('$uname', '$pwd')");

if (mysql_affected_rows() < 1) {
    die('Error inserting user details');
}

?>

Code: Select all

<?php

/* On login page... */

mysql_connect('bobshost', 'bob', 'bobspassword') or die('Could not connect');

mysql_select_db('bobsdb') or die("Couldn't select DB");

$uname = mysql_real_escape_string($_POST['username']);

$pwd = md5($_POST['password']);

$result = mysql_query("SELECT * FROM bobstable WHERE uname = '$uname' AND pwd = '$pwd'");

if (!$result) {
    die('Error with Query');
}

if (mysql_num_rows($result) < 1) {
    die('Incorrect Login Details!');
}
?>

Posted: Tue Sep 20, 2005 10:16 am
by $var
cool.... sounds good. thanks for clearing that up.

Posted: Tue Sep 20, 2005 10:20 am
by Jenk
As far as I know, MD5 is un crackable. The only way to get past it is to 'fluke' it by means of brute force.

I.E. leave a comp running to try every possibly conceivable combination of characters until you find a matching MD5.

Have a value greater than 5 characters and you'll be waiting hours, more than 8 and you'll be waiting weeks.

But there are people that determined... which is why it is good practice to limit the number of attempts before locking the account someone is trying to force.