Page 1 of 1

Basic questions about Encryption.

Posted: Wed May 13, 2009 4:28 am
by karozans
Hi everyone. I am new to encryption.

I am developing a web client that communicates with LDAP using PHP. Right now I have an OpenLDAP server running and a client program that is connected to it for browsing call "LDAPEditor". This LDAP editor along with 3 other LDAP editors I use have the ability to change the "userPassword" of the LDAP entry. I can choose between 4 or 5 different types of encryption.

I have chosen MD5. I know this isn't strong encryption but I want to use this as an example.

Anyway, when I create a new password in LDAPEditor using MD5 the password is stored.

But when I go to PHP and use the function MD5("password"), the two encrypted passwords look nothing alike.

What am I doing wrong? The same happens for SHA and Crypt.

Also can someone please explain what the difference is in using hash("md5", "password") and md5("password") is?

thanks

Re: Basic questions about Encryption.

Posted: Wed May 13, 2009 7:53 am
by Paul Arnold
Is LDAPEditor using some kind of automatic salt or something?

Re: Basic questions about Encryption.

Posted: Wed May 13, 2009 7:56 am
by kaisellgren
karozans wrote:I know this isn't strong encryption
It is not an encryption algorithm, it is a hash algorithm.
karozans wrote:But when I go to PHP and use the function MD5("password"), the two encrypted passwords look nothing alike.
Also can someone please explain what the difference is in using hash("md5", "password") and md5("password") is?
There is no difference between hash('md5','password') and md5('password'). The reason why you are getting a different hash value is probably a salt that was added into the preimage. If not, then the algorithm itself would have been changed, which would be quite scary.

Re: Basic questions about Encryption.

Posted: Wed May 13, 2009 4:20 pm
by karozans
Paul Arnold wrote:Is LDAPEditor using some kind of automatic salt or something?
I am not sure. I don't see any indications that it uses salt but it must. Everytime I generate a md5 password using the same password string I get a different hashed value back. It must use a randomized salt. But if that is the case how is one able to validate a password. Don't you need to know what the salt value is in order to validate?

Maybe I don't understand how md5 works exactly.

thanks for the reply.

Re: Basic questions about Encryption.

Posted: Wed May 13, 2009 4:22 pm
by kaisellgren
karozans wrote:
Paul Arnold wrote:Everytime I generate a md5 password using the same password string I get a different hashed value back. Don't you need to know what the salt value is in order to validate?
Yes you need to know the salt. Maybe you should ask the creators of LDAP Editor about this.

Re: Basic questions about Encryption.

Posted: Wed May 13, 2009 4:26 pm
by karozans
Okay thanks for the help.