Basic questions about Encryption.

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
karozans
Forum Newbie
Posts: 8
Joined: Mon Sep 15, 2008 5:14 pm

Basic questions about Encryption.

Post by karozans »

Hi everyone. I am new to encryption.

I am developing a web client that communicates with LDAP using PHP. Right now I have an OpenLDAP server running and a client program that is connected to it for browsing call "LDAPEditor". This LDAP editor along with 3 other LDAP editors I use have the ability to change the "userPassword" of the LDAP entry. I can choose between 4 or 5 different types of encryption.

I have chosen MD5. I know this isn't strong encryption but I want to use this as an example.

Anyway, when I create a new password in LDAPEditor using MD5 the password is stored.

But when I go to PHP and use the function MD5("password"), the two encrypted passwords look nothing alike.

What am I doing wrong? The same happens for SHA and Crypt.

Also can someone please explain what the difference is in using hash("md5", "password") and md5("password") is?

thanks
Paul Arnold
Forum Contributor
Posts: 141
Joined: Fri Jun 13, 2008 10:09 am
Location: Newcastle Upon Tyne

Re: Basic questions about Encryption.

Post by Paul Arnold »

Is LDAPEditor using some kind of automatic salt or something?
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Basic questions about Encryption.

Post by kaisellgren »

karozans wrote:I know this isn't strong encryption
It is not an encryption algorithm, it is a hash algorithm.
karozans wrote:But when I go to PHP and use the function MD5("password"), the two encrypted passwords look nothing alike.
Also can someone please explain what the difference is in using hash("md5", "password") and md5("password") is?
There is no difference between hash('md5','password') and md5('password'). The reason why you are getting a different hash value is probably a salt that was added into the preimage. If not, then the algorithm itself would have been changed, which would be quite scary.
karozans
Forum Newbie
Posts: 8
Joined: Mon Sep 15, 2008 5:14 pm

Re: Basic questions about Encryption.

Post by karozans »

Paul Arnold wrote:Is LDAPEditor using some kind of automatic salt or something?
I am not sure. I don't see any indications that it uses salt but it must. Everytime I generate a md5 password using the same password string I get a different hashed value back. It must use a randomized salt. But if that is the case how is one able to validate a password. Don't you need to know what the salt value is in order to validate?

Maybe I don't understand how md5 works exactly.

thanks for the reply.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Basic questions about Encryption.

Post by kaisellgren »

karozans wrote:
Paul Arnold wrote:Everytime I generate a md5 password using the same password string I get a different hashed value back. Don't you need to know what the salt value is in order to validate?
Yes you need to know the salt. Maybe you should ask the creators of LDAP Editor about this.
karozans
Forum Newbie
Posts: 8
Joined: Mon Sep 15, 2008 5:14 pm

Re: Basic questions about Encryption.

Post by karozans »

Okay thanks for the help.
Post Reply