PHP MD5 Question...

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
GT500_Grad
Forum Newbie
Posts: 3
Joined: Sat Mar 21, 2009 12:05 am

PHP MD5 Question...

Post by GT500_Grad »

I am working on a site where I'm implemented a SSO from another site. The other site is sending the userID encrypted by an MD5 algorithm, MD5 Key, and a time stamp. I'm a bit new to the PHP encryption. I've read that MD5 is not really irreversible, and I haven't been able to find any where how to use the key. I figured I would have to take my information, that is not encrypted, and encrypt it and then compare it to the information being sent. I know PHP has a MD5 built in function, but it does not have a Key parameter. So how do I use this Key to regenerate the information?

Thanks in advance!
Hannes2k
Forum Contributor
Posts: 102
Joined: Fri Oct 24, 2008 12:22 pm

Re: PHP MD5 Question...

Post by Hannes2k »

Hi,
no MD5 implementation has a key paramater, because, md5 just caculates the hash value from a message (from one input).

The secret is, that you concatenate a key and a message in any way and then caculate the md5 value from this concatenation.

A simple example:
md5($key.$message);


But there are many ways to concatenate a key and a message, it is also possible to do this in this way:
md5( ($key ^ $opad).md5( ($key ^ $ipad).$message));

(HMAC use this concatenation)


So you need to know how the other site caculates the md5 value from the key, the userId and the timestamp. There is no standardized way.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: PHP MD5 Question...

Post by kaisellgren »

GT500_Grad wrote:userID encrypted by an MD5 algorithm
MD5 is not an encryption algorithm.
GT500_Grad wrote:I know PHP has a MD5 built in function, but it does not have a Key parameter.
Because it is not an encryption algorithm.

The other site probably concatenates the key and the timestamp into the preimage just like Hannes2k showed above.

Also, you may want to use SSL/TLS for encrypting the connection, which sends the hash over the Internet. However, this would mean that the other site needs to use SSL/TLS since the other site is the one who sends the data.
sujithtomy
Forum Commoner
Posts: 46
Joined: Tue Mar 24, 2009 4:43 am

Re: PHP MD5 Question...

Post by sujithtomy »

Hello,

if you could use mysql with php, there is AES_DECRYPT(crypt_str,key_str) which uses a key to encrypt. using the same key decrypt will work.

---------
Regards,
Sujith
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: PHP MD5 Question...

Post by kaisellgren »

sujithtomy wrote:if you could use mysql with php, there is AES_DECRYPT(crypt_str,key_str) which uses a key to encrypt. using the same key decrypt will work.
Are you suggesting that both sites share same MySQL server?
sujithtomy
Forum Commoner
Posts: 46
Joined: Tue Mar 24, 2009 4:43 am

Re: PHP MD5 Question...

Post by sujithtomy »

Hello,

No need to be shared MySql, but both should have MySql... thats enough. :)
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: PHP MD5 Question...

Post by kaisellgren »

sujithtomy wrote:No need to be shared MySql
If the MySQL server is not shared, then the whole idea behind (en/de)crypting on MySQL makes no sense to me.
Post Reply