ENCRYPTION

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

What do you use for encryption?

Poll ended at Fri Jun 23, 2006 9:10 pm

mcrypt_encrypt
2
17%
gnupg_encrypt
0
No votes
md5
4
33%
crypt
0
No votes
Other (Please post below)
6
50%
 
Total votes: 12

User avatar
Oren
DevNet Resident
Posts: 1640
Joined: Fri Apr 07, 2006 5:13 am
Location: Israel

Post by Oren »

Maugrim_The_Reaper wrote:Why settle for lower security?
Answer:
Maugrim_The_Reaper wrote:It's not available as a native PHP function like md5() or sha1()
:D
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

SHA256 doesn't have to be a native function (although it is in later versions of php) .. when you have a pure php solution, it's just as simple to use.
User avatar
Oren
DevNet Resident
Posts: 1640
Joined: Fri Apr 07, 2006 5:13 am
Location: Israel

Post by Oren »

In my opinion, it's a big difference. For sha256, you have to include the class each time you want to use it and to create a new instance. For md5, you simply use it like with any other function.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

No new instance is required. It's a static call.
User avatar
Oren
DevNet Resident
Posts: 1640
Joined: Fri Apr 07, 2006 5:13 am
Location: Israel

Post by Oren »

What's a static call?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Oren wrote:What's a static call?

Code: Select all

$hash = SHA256::hash('abc');
No new instance of SHA256 has to be created.
User avatar
Oren
DevNet Resident
Posts: 1640
Joined: Fri Apr 07, 2006 5:13 am
Location: Israel

Post by Oren »

Oh yeah... I know about this, but couldn't remember it was called 'a static call' - I realized it was called 'a static call' only 1-2 days ago (don't forget I'm new to OOP).

Thanks for reminding me :wink:
bdlang
Forum Contributor
Posts: 395
Joined: Tue May 16, 2006 8:46 pm
Location: Ventura, CA US

Post by bdlang »

Err, just so we're all clear, MD5 is a one-way HASH, not encryption (SHA1, SHA256 included), and it's interesting to me that alot of coders don't realize this. Just note that the thread is entitled 'encryption' and that not a single post mentions any actual encryption method. Encryption assumes decryption.

Obviously all the experienced PHP coders on this thread know this, I just want to make sure everybody (including the thread starter) does.

Great discussion of HASH implementation and collisions, however. :)
Roja
Tutorials Group
Posts: 2692
Joined: Sun Jan 04, 2004 10:30 pm

Post by Roja »

bdlang wrote:Err, just so we're all clear, MD5 is a one-way HASH, not encryption (SHA1, SHA256 included), and it's interesting to me that alot of coders don't realize this. Just note that the thread is entitled 'encryption' and that not a single post mentions any actual encryption method. Encryption assumes decryption.
Roja wrote: However, your poll is also flawed in selections. MD5 isn't encryption. Its a cryptographic hash. You can't decode an md5sum. You can only predict the correct hash (collision), in a short period of time.
I did mention it. :)
bdlang
Forum Contributor
Posts: 395
Joined: Tue May 16, 2006 8:46 pm
Location: Ventura, CA US

Post by bdlang »

Roja wrote:
However, your poll is also flawed in selections. MD5 isn't encryption. Its a cryptographic hash. You can't decode an md5sum. You can only predict the correct hash (collision), in a short period of time.
I did mention it. :)
Yes, I saw that, thanks.
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

In my opinion, it's a big difference. For sha256, you have to include the class each time you want to use it and to create a new instance. For md5, you simply use it like with any other function.
It's a tiny difference - one file include and a static call. The main difference in using a PHP implementation is performance. But such a hit is fairly low frequency (in the scheme of an overall app). Arguing for less security to pump up performance is a dangerous path to take.
User avatar
Oren
DevNet Resident
Posts: 1640
Joined: Fri Apr 07, 2006 5:13 am
Location: Israel

Post by Oren »

Maugrim_The_Reaper wrote:Arguing for less security to pump up performance is a dangerous path to take.
I agree, that's so right! I've always said that.
Security is first priority, then in the second place it is performance.
Razor
Forum Newbie
Posts: 4
Joined: Mon Jun 12, 2006 6:33 am

Post by Razor »

the way i encrypt data like passwords is like this

Code: Select all

<?php

function encrypt($data)
{
return md5(sha1(stripslashes(strip_tags(htmlspecialchars($data)))));
}

$secure = encrypt($_POST['password']);

?>
it works well for me.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

Oren wrote:
Maugrim_The_Reaper wrote:Why settle for lower security?
Answer:
Maugrim_The_Reaper wrote:It's not available as a native PHP function like md5() or sha1()
:D
When it is a PHP native function more people have access to core algorithm that creates the hash. There is also a wider use of the hashing algorithm, hence the desire of some to develop rainbow tables attempting to 'crack' the hash. I would say that so far, almost all levels of 'built-in' hashing have had some degree of compromise simply because they available and widely used.

Although Feyd's sha256 code is publicy available via these forums, few people are actually using (in relation to say an md5 or other combination of encryption mechanisms/salts), so the widespread attempt at 'cracking' and sha256's hashed string is still relatively minor.

When it comes to hashing strings, even if you throw a salt into the mix, the chance at a collision using md5, sha1 or any other 'built-in' hashing mechanism will be much greater than if you were using a custom function like Feyd's.

This opinion is of course speculative and written entirely out of my views on 'encryption'. And I agree with the previous posters that brought it up, encryption is so the wrong term to use when discussing a string hashing mechanism.
User avatar
tecktalkcm0391
DevNet Resident
Posts: 1030
Joined: Fri May 26, 2006 9:25 am
Location: Florida

Post by tecktalkcm0391 »

would using mcrypt_encrypt many times again and again over itself make it way harder to break, or weaken
Post Reply