Page 1 of 1
How secure is crypt() ?
Posted: Fri Jun 06, 2003 12:09 pm
by m@ndio
Hi, i am new to PHP and still in the good old Hello World stages..
I have a few questions:
1. How secure is crypt(); ?
2. What level of encryption is it? i.e. 32bit, 64, 128 etc.
3. Could it be used to encrypt credit card details? If not then which methods do you reconmend?
Thanks in advance
Posted: Fri Jun 06, 2003 1:18 pm
by nielsene
The security level ovf crypt depends on your OS. If you're on Linux or Windows, crypt is less secure than on a *BSD (include OS X). The crypt used by Linux and Windows is standard 3DES an only on the first 8 characters of the input. This standard crypt is salted, with a not very random salt.
The crypt used by BSD is MD5 with a better salt.
In Linux and Windows, if you give crypt an MD5 style salt, it will do an MD5 crypt which is much more secure. (Some Windows machines don't like this, some do...., the thread linked below shows a work around.)
See my old post at (last post on the page)
viewtopic.php?t=2396&postdays=0&postord ... 533ae4fe78
Remember that crypt is a one-way cypher, so you can't undo it. You can only check if two crypted things match. If you need to encrypt/decrypt something (such as most cc needs) check out the mcrypt library for a symmetric cypher.
Posted: Fri Jun 06, 2003 2:58 pm
by m@ndio
I appreciate our reply nielsene.
First of all what is 3DES? and BSD? secondly I did try putting the following example into a script on my local machine running apache 2.0.4.5 and PHP 4. but it didnt work...
---------------------------------------------------------------------------------
code:
<?php
$iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB);
$iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);
$key = "This is a very secret key";
$text = "Meet me at 11 o'clock behind the monument.";
echo strlen($text)."\n";
$crypttext = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $text, MCRYPT_MODE_ECB, $iv);
echo strlen($crypttext)."\n";
?>
---------------------------------------------------------------------------------
The script generated the following errors:
Fatal error: Call to undefined function: mcrypt_get_iv_size() in C:\Program Files\Apache Group\Apache2\htdocs\mandio\encrypt.php on line 2
---------------------------------------------------------------------------------
Do I need to install some extra modules or something?? If so, can I install them locally??
thanks for your help
Posted: Fri Jun 06, 2003 4:24 pm
by delorian
You need a mcrypt
http://mcrypt.hellug.gr/ package, but I don't know is there anything like this for windows, probably not
BTW: Read the manual -
http://php.net/manual/en/ref.mcrypt.php
P.S. Install Linux and test your scripts on REAL configuration
