I am working on a site where I'm implemented a SSO from another site. The other site is sending the userID encrypted by an MD5 algorithm, MD5 Key, and a time stamp. I'm a bit new to the PHP encryption. I've read that MD5 is not really irreversible, and I haven't been able to find any where how to use the key. I figured I would have to take my information, that is not encrypted, and encrypt it and then compare it to the information being sent. I know PHP has a MD5 built in function, but it does not have a Key parameter. So how do I use this Key to regenerate the information?
Thanks in advance!
PHP MD5 Question...
Moderator: General Moderators
Re: PHP MD5 Question...
Hi,
no MD5 implementation has a key paramater, because, md5 just caculates the hash value from a message (from one input).
The secret is, that you concatenate a key and a message in any way and then caculate the md5 value from this concatenation.
A simple example:
md5($key.$message);
But there are many ways to concatenate a key and a message, it is also possible to do this in this way:
md5( ($key ^ $opad).md5( ($key ^ $ipad).$message));
(HMAC use this concatenation)
So you need to know how the other site caculates the md5 value from the key, the userId and the timestamp. There is no standardized way.
no MD5 implementation has a key paramater, because, md5 just caculates the hash value from a message (from one input).
The secret is, that you concatenate a key and a message in any way and then caculate the md5 value from this concatenation.
A simple example:
md5($key.$message);
But there are many ways to concatenate a key and a message, it is also possible to do this in this way:
md5( ($key ^ $opad).md5( ($key ^ $ipad).$message));
(HMAC use this concatenation)
So you need to know how the other site caculates the md5 value from the key, the userId and the timestamp. There is no standardized way.
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: PHP MD5 Question...
MD5 is not an encryption algorithm.GT500_Grad wrote:userID encrypted by an MD5 algorithm
Because it is not an encryption algorithm.GT500_Grad wrote:I know PHP has a MD5 built in function, but it does not have a Key parameter.
The other site probably concatenates the key and the timestamp into the preimage just like Hannes2k showed above.
Also, you may want to use SSL/TLS for encrypting the connection, which sends the hash over the Internet. However, this would mean that the other site needs to use SSL/TLS since the other site is the one who sends the data.
-
sujithtomy
- Forum Commoner
- Posts: 46
- Joined: Tue Mar 24, 2009 4:43 am
Re: PHP MD5 Question...
Hello,
if you could use mysql with php, there is AES_DECRYPT(crypt_str,key_str) which uses a key to encrypt. using the same key decrypt will work.
---------
Regards,
Sujith
if you could use mysql with php, there is AES_DECRYPT(crypt_str,key_str) which uses a key to encrypt. using the same key decrypt will work.
---------
Regards,
Sujith
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: PHP MD5 Question...
Are you suggesting that both sites share same MySQL server?sujithtomy wrote:if you could use mysql with php, there is AES_DECRYPT(crypt_str,key_str) which uses a key to encrypt. using the same key decrypt will work.
-
sujithtomy
- Forum Commoner
- Posts: 46
- Joined: Tue Mar 24, 2009 4:43 am
Re: PHP MD5 Question...
Hello,
No need to be shared MySql, but both should have MySql... thats enough.
No need to be shared MySql, but both should have MySql... thats enough.
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: PHP MD5 Question...
If the MySQL server is not shared, then the whole idea behind (en/de)crypting on MySQL makes no sense to me.sujithtomy wrote:No need to be shared MySql