Page 3 of 3

Posted: Mon Jun 12, 2006 1:22 pm
by RobertGonzalez
It would weaken it. Search google or these forums for the term 'entropy'.

Posted: Mon Jun 12, 2006 2:09 pm
by Roja
Razor wrote:the way i encrypt data like passwords is like this... md5(sha1(stripslashes(strip_tags(htmlspecialchars($data)))));
Just to clarify, running md5 and sha1 together like this actually reduces the net entropy, making it *less* secure than one or the other. On the flip side, it makes it less likely that there will be a rainbow table containing any given result, but for brute force and cryptanalysis, it reduces its strength.

Just wanted to make sure people had that caveat before copy/pasting it. :)

Posted: Mon Jun 12, 2006 4:10 pm
by Maugrim_The_Reaper
When it comes to hashing strings, even if you throw a salt into the mix, the chance at a collision using md5, sha1 or any other 'built-in' hashing mechanism will be much greater than if you were using a custom function like Feyd's.
Summarises what, like 3 pages of posts? :)

Posted: Mon Jun 12, 2006 4:28 pm
by RobertGonzalez
/ Blushes with thanks :oops:

Posted: Mon Jun 12, 2006 6:37 pm
by tecktalkcm0391
Everah wrote:It would weaken it. Search google or these forums for the term 'entropy'.
So using mcrypt_encrypt once is harder to weaken then using mcrypt_encrypt 10 times.

Two questions:

1.) Are we going to make an agreement on which is the top 2 encryption ways?

2.) Is there anyway to make your own secure encyrption ?

Posted: Mon Jun 12, 2006 9:15 pm
by feyd
tecktalkcm0391 wrote:1.) Are we going to make an agreement on which is the top 2 encryption ways?
There's no magic pill. Each has their pluses and minuses. crypt and mcrypt are far more likely to be found on a host than gnupg (available to PHP anyways.) That's the only weight I can throw in unless you want to get into a specific about the actual algorithm in question.
tecktalkcm0391 wrote:2.) Is there anyway to make your own secure encyrption?
Sure, with a lot of math and knowledge in cryptography. "Just happening" upon creating an encryption is relatively low for us mere mortals, when it's put up to the crypto-tests. I'd suggest leaving that stuff to the experts unless you want to toy with it (in a nonproduction environment.)

Posted: Tue Jun 13, 2006 7:43 am
by Roja
tecktalkcm0391 wrote:1.) Are we going to make an agreement on which is the top 2 encryption ways?
You aren't comparing things that are the same at all, so we can't. You need to research encryption to understand what you are asking (before asking).

mcrypt can use over a dozen different algorithms for encryption - some trivial to guess (in comparison), some very challenging. Its a traditional encryption method - using no shared keys.

gnupg is totally different. Its a specifc algorithm (pgp) implemented via an extension (which may not be installed on some servers). It uses shared keys, so if the user hasn't exchanged keys with you, you can't encrypt. It requires building a secure method for key exchange.

MD5 isn't an encryption method at all - its a hash function.

crypt, like mcrypt, can vary depending on the platform you are on, so we can't give a specific statement about its "strength" in relative terms.

You are comparing apples, oranges, horses, airplanes, and supermodels. There is no objective comparison possible between them.
tecktalkcm0391 wrote:2.) Is there anyway to make your own secure encyrption ?
That totally depends on how you define "secure". If you mean comparably secure to the existing algorithms, yes, its possible, but its incredibly unlikely.

You have to understand that the algorithms we have were attacked by thousands of cryptologists with decades of experience - and they've done so for decades. Thats what makes them secure - trial by fire.

New algorithms are at best considered "untrustworthy" for several years. SHA-1 only came about because the NSA found a flaw in SHA-0, years after it was released. To think you can come up with something that will be as strong as the communities best efforts, AND have no flaws, AND be implemented securely is incredibly foolish.

Stick with the tried and true algorithms.

Posted: Fri Jun 16, 2006 11:41 am
by tecktalkcm0391
Just for fun, can anybody tell me what I used to make this (which "encryption" method (its one on the poll)) and/or the keys if there are any, and/or how many times I did it, and/or what the string really is....

Code: Select all

13ca755cd8b9de8589bfd99526d63d457c19
d0f95b3885b3d7a0d78c1fc98736af9997e85e7104de
20ba890876ab8cc6228dc6bddd57e01aa8a9d3196078a6b
1b24bff98d2c74d07bcb17ddfab4ea1699404ef30218cc279f6ba459f37
9c045f0304e34d48b38a026b391a7f3c9ccc3c593f7a6d2ade42f1d62e939
5d309ed22a80bc990447216688e843fee5d2434833f4090f85fabf009d96f
1c5122c10ac223d96d6c592685d699d3591d3519a5ad63
77553c19141bb9b62b39b2d443e1d70bdb9ae659db57f9ac54
2108264db783a674dde60d0013f4bdc9ad7071ed87f0fdf39907db
e0a89d4841d7fdb7316ff843fbcd272563ce91958228ce9859dd484d6dcc
5d28329c4f41bdefdfefcdc54f60e7882ea1d2da5eb120bb1504277e836ea
59021f4e9be941ba874acd40b0b95d0256d83c6fa453ac720b70537bb9fe63997b
9d43c2264633f947538f4cf1976236eb32739ec631de0a17fa926b7b280d520ad080
d0f6e07a0537b0a69d815adf77f46edfc93ad4518ff64b1c466d295bfd56c3aa
7fcd5bc65f099a3be7a59d2272f9c32532d5b643a16d05d21e37f7ad00e31e1a9
fed500d613ba43515a939fcd9b892e4300f6e415ac8f70b4a93
bcb31296286d6ec79a8d762d99b6146b08e73c4e916ae13dc64ada
5083df0c93cf6135b87a77502dca49824112296ab6917fca6ad54416f64
775e811cdd7a88c3ff2c6cccefe29401d28a737dad75e3de9bbc93b9ba36a8
9c3eb325a30a0df8dbd68919b8b0526ee5f068f016c15fe316b1d68522c23d7339c278a817aa83a245be
NOTE: I spaced it down so you won't have to scroll

Posted: Fri Jun 16, 2006 12:22 pm
by Roja
tecktalkcm0391 wrote:can anybody tell me what I used to make this (which "encryption" method (its one on the poll)) and/or the keys if there are any, and/or how many times I did it, and/or what the string really is....
Yes, somebody can. Almost all current crypto algorithms can be attacked in finite time with finite resources. The only question is whether the attacker has enough reward by defeating the algorithm to justify the use of those resources for that time.

Since its "just for fun", I'd only apply a "fun" amount of resources to the problem, which in this case, is simply a smarmy reply saying "Yes, somebody can".