How secure is crypt() ?

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
m@ndio
Forum Regular
Posts: 163
Joined: Fri Jun 06, 2003 12:09 pm
Location: UK

How secure is crypt() ?

Post by m@ndio »

Hi, i am new to PHP and still in the good old Hello World stages..

I have a few questions:

1. How secure is crypt(); ?

2. What level of encryption is it? i.e. 32bit, 64, 128 etc.

3. Could it be used to encrypt credit card details? If not then which methods do you reconmend?

Thanks in advance
User avatar
nielsene
DevNet Resident
Posts: 1834
Joined: Fri Aug 16, 2002 8:57 am
Location: Watertown, MA

Post by nielsene »

The security level ovf crypt depends on your OS. If you're on Linux or Windows, crypt is less secure than on a *BSD (include OS X). The crypt used by Linux and Windows is standard 3DES an only on the first 8 characters of the input. This standard crypt is salted, with a not very random salt.

The crypt used by BSD is MD5 with a better salt.

In Linux and Windows, if you give crypt an MD5 style salt, it will do an MD5 crypt which is much more secure. (Some Windows machines don't like this, some do...., the thread linked below shows a work around.)

See my old post at (last post on the page)
viewtopic.php?t=2396&postdays=0&postord ... 533ae4fe78

Remember that crypt is a one-way cypher, so you can't undo it. You can only check if two crypted things match. If you need to encrypt/decrypt something (such as most cc needs) check out the mcrypt library for a symmetric cypher.
User avatar
m@ndio
Forum Regular
Posts: 163
Joined: Fri Jun 06, 2003 12:09 pm
Location: UK

Post by m@ndio »

I appreciate our reply nielsene.

First of all what is 3DES? and BSD? secondly I did try putting the following example into a script on my local machine running apache 2.0.4.5 and PHP 4. but it didnt work...

---------------------------------------------------------------------------------

code:

<?php
$iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB);
$iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);
$key = "This is a very secret key";
$text = "Meet me at 11 o'clock behind the monument.";
echo strlen($text)."\n";

$crypttext = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $text, MCRYPT_MODE_ECB, $iv);
echo strlen($crypttext)."\n";
?>

---------------------------------------------------------------------------------

The script generated the following errors:

Fatal error: Call to undefined function: mcrypt_get_iv_size() in C:\Program Files\Apache Group\Apache2\htdocs\mandio\encrypt.php on line 2

---------------------------------------------------------------------------------

Do I need to install some extra modules or something?? If so, can I install them locally??

thanks for your help
User avatar
delorian
Forum Contributor
Posts: 223
Joined: Sun May 04, 2003 5:20 pm
Location: Olsztyn, Poland

Post by delorian »

You need a mcrypt http://mcrypt.hellug.gr/ package, but I don't know is there anything like this for windows, probably not :)

BTW: Read the manual - http://php.net/manual/en/ref.mcrypt.php

P.S. Install Linux and test your scripts on REAL configuration :D
Post Reply