ENCRYPTION
Moderator: General Moderators
- tecktalkcm0391
- DevNet Resident
- Posts: 1030
- Joined: Fri May 26, 2006 9:25 am
- Location: Florida
ENCRYPTION
What 'encryption' methods have been cracked?
Re: ENCRYPTION
Cracked is imperfect language for cryptology. The terms generally preferred are broken, weakened, or compromised.tecktalkcm0391 wrote:What 'encryption' methods have been cracked?
Each has its own meaning. First you find flaws in the algorithm - it is weakened below the (expected, published) brute force strength it once had.
Then you find structural problems in the algorithms - allowing you to compromise them, reducing the brute force strength substantially, and in a clear fashion that doesn't rely on hardware choices.
Finally, you break the algorithm. You find a way to (near) instantly decode the encryption. You reduce its strength to a trivial level.
Few algorithms have been truly broken. Plenty have been compromised, or weakened.
However, your poll is also flawed in selections. MD5 isn't encryption. Its a cryptographic hash. You can't decode an md5sum. You can only predict the correct hash (collision), in a short period of time.
Well... Currently md5, but not for long. I'll keep using md5, but not as "pure md5". At the beginning I used to use md5 with some kind of salt, but then I've got the impression that "pure md5" is secure enough and would do the job - which is obviously wrong. So the next time I code anything that needs to keep some data secured, passwords for a login system for example, I'm going to make a small research and dedicate more thought before I do anything.
- Maugrim_The_Reaper
- DevNet Master
- Posts: 2704
- Joined: Tue Nov 02, 2004 5:43 am
- Location: Ireland
- Maugrim_The_Reaper
- DevNet Master
- Posts: 2704
- Joined: Tue Nov 02, 2004 5:43 am
- Location: Ireland
It does the same thing (well, not exactly - it's far more secure) as MD5 - creates a hash of any value you pass it.
It's not available as a native PHP function like md5() or sha1() - you need to use the mcrypt library (which must be available in your host) or else a PHP implementation such as feyds. The mcrypt lib is documented in the PHP Manual - feyd has a write up of his class's use in the source code header. In both cases it's almost as simple as a straight md5() call... Not much to it - you may just need to make your password database field longer (SHA256 creates a 64 character hash instead of MD5's 32)
See here for feyd's PHP class - viewtopic.php?t=32334
You use it simple by including the class file and calling
It's not available as a native PHP function like md5() or sha1() - you need to use the mcrypt library (which must be available in your host) or else a PHP implementation such as feyds. The mcrypt lib is documented in the PHP Manual - feyd has a write up of his class's use in the source code header. In both cases it's almost as simple as a straight md5() call... Not much to it - you may just need to make your password database field longer (SHA256 creates a 64 character hash instead of MD5's 32)
See here for feyd's PHP class - viewtopic.php?t=32334
You use it simple by including the class file and calling
Code: Select all
$hash = SHA256::hash('somestring');- Maugrim_The_Reaper
- DevNet Master
- Posts: 2704
- Joined: Tue Nov 02, 2004 5:43 am
- Location: Ireland
- daedalus__
- DevNet Resident
- Posts: 1925
- Joined: Thu Feb 09, 2006 4:52 pm
- jayshields
- DevNet Resident
- Posts: 1912
- Joined: Mon Aug 22, 2005 12:11 pm
- Location: Leeds/Manchester, England
- daedalus__
- DevNet Resident
- Posts: 1925
- Joined: Thu Feb 09, 2006 4:52 pm
Yes there is. If the security is not so important but the performance is. md5 is way faster than sha256Oren wrote:Kinda obvious, but why "on a number of levels"? Is there a case where md5 + salt is better? It doesn't make sense to me.Maugrim_The_Reaper wrote:on a number of levels SHA256+salt is far more secure than MD5+salt.
- Maugrim_The_Reaper
- DevNet Master
- Posts: 2704
- Joined: Tue Nov 02, 2004 5:43 am
- Location: Ireland
None. There are arguments to the contrary but every one of them argues that using a salt makes an MD5 hash impervious - that is simply not true. The salt itself may be compromised in the event a server is hacked, which will compromise the salted MD5 hashes, which will lead to rainbow table lookups which are SIMPLE for MD5. This is the part people fail to see - you don't need a supercomputer to create MD5 collisions!Is there a case where md5 + salt is better?
In all cases SHA256 is significantly more secure. On the other hand MD5 is still "good enough" for some uses, maybe file hash comparison and similar where performance is worth considering, and the risk minute. But for sensitive data hashing it's just not "good enough". If I have your MD5 hash (and optionally a salt if used) I can run all your stored password hashes across a rainbow table and search for collisions. It's as simple as that.
It is highly recommended by myself that you switch to SHA256 if possible. I've recommended the same to dozens of clients over the last two years. Why settle for lower security? It's a no brainer.